Share your product feedback

Add a new idea Subscribe
Status Future consideration
Categories Account settings Application
Created by Terence Osmeña
Created on Mar 18, 2026

RELATED IDEAS

Extend and enhance workspace custom roles to work similar to account custom roles

What is the challenge?

  • Currently, a user's workspace user permission will trump any workspace custom role permissions

  • All owner and contributor workspace actions are not included in custom roles (i.e. create record). This means workspace custom roles works differently to account custom roles and does not allow me to define every single user permission action a workspace contributor can do

  • If I want to give a specific contributor user access to one thing (i.e. promote ideas), their contributor access still allows them to create records as I cannot "uncheck" that in the workspace custom role

What is the impact?

  • Misunderstanding in how account custom roles and workspace custom roles work

  • Cannot define exact "workspace" roles if I want to limit it to a very short list of tasks and activities i.e. promote ideas

Describe your idea.

  • Support all potential actions that a workspace owner/contributor can do within the list of custom roles, similar to account admin custom roles

  • Attach files
  • Erik Baerresen
    Apr 1, 2026

    What is the challenge?

    Workspace custom roles in Aha! Roadmaps do not provide full control over user capabilities because base workspace permissions (e.g., Contributor, Owner) override custom role restrictions.

    Specifically:

    • Core actions tied to base roles (such as creating records, editing records, and converting records) are not exposed as configurable options within workspace custom roles

    • Custom roles only control a subset of actions (often UI-level or workflow-specific), rather than the underlying capabilities

    • This creates a mismatch between:

      • Account custom roles, which allow granular control over permissions

      • Workspace custom roles, which are constrained by base role behavior

    As a result, administrators cannot fully define or restrict what a user can do within a workspace.

    Example scenario:

    • A user is assigned as a Contributor to allow limited editing

    • A custom role is configured to allow only “Promote ideas”

    • However, the user can still:

      • Create features or other records

      • Effectively bypass intended restrictions

    This happens because “create record” and similar foundational permissions cannot be disabled in workspace custom roles.

    What is the impact?

    1. Lack of true least-privilege access

    Administrators cannot enforce narrowly scoped roles such as:

    • “Can only promote ideas”

    • “Can only edit goals”

    • “Can only update specific record types”

    2. Inconsistent permission model

    • Account-level custom roles allow fine-grained control

    • Workspace-level custom roles do not

    • This inconsistency leads to confusion and misconfiguration

    3. Increased risk of unintended changes

    Users may:

    • Create or modify records outside their intended scope

    • Perform actions indirectly that were meant to be restricted

    4. Workarounds increase complexity

    Teams are forced to:

    • Restructure workspaces

    • Restrict visibility instead of permissions

    • Rely on process/training instead of system enforcement

    Describe your idea

    Enhance workspace custom roles to support full, granular permission control over all workspace actions, similar to account custom roles.

    Key capabilities to include:

    1. Expose all base role actions as configurable permissions

    Allow administrators to explicitly enable/disable:

    • Create record (by record type: ideas, features, goals, etc.)

    • Edit record (by type and/or field-level if possible)

    • Delete record

    • Convert records (e.g., idea → feature)

    • Link or associate records

    2. Allow custom roles to override base permissions

    • Custom roles should act as the source of truth, not a secondary layer

    • Base roles (Viewer, Contributor, Owner) should become:

      • Either fully configurable templates

      • Or optional starting points that can be completely overridden

    3. Align workspace and account permission models

    • Provide consistent behavior and expectations across both levels

    • Reduce confusion by using the same permission philosophy and structure

    4. Improve UI clarity

    • Clearly indicate:

      • Which permissions are inherited from base roles

      • Which are explicitly granted or denied

    • Ensure that disabling a permission:

      • Removes both the capability and the UI entry point (e.g., buttons)

    Expected outcome

    • Administrators can define true least-privilege roles

    • Permissions behave predictably and consistently

    • Reduced reliance on structural workarounds and manual governance

    • Increased confidence in access control and system integrity

    Reply
Idea management by Aha!
Create your own ideas portal to crowdsource feedback
© 2026 Aha! Labs Inc.All rights reserved