Access in Rollout has two layers: a workspace role that controls what you can administer, and per-item sharing that controls who can see and edit each Project, Document, Workflow, or other resource. Items start private to their owner and are shared deliberately.

Workspace roles

Every member of a workspace holds one role:

Role What it allows
Owner Everything an admin can do, plus the Danger zone (deleting the workspace).
Admin Workspace administration: members, billing, data model, audit log, and trash — plus full access to any item shared with a team or the workspace.
Member Day-to-day use: create work, and see and edit what they own or what is shared with them.

Admins and the owner can open every team and every item shared with a team or the whole workspace. Nobody — including admins — can open another person’s private items.

Managing members

Admins manage membership on the Members page in Settings:

  • Invite member sends an email invitation with a workspace role of Member or Admin. Team membership is managed separately on team pages.
  • Switch a member between Member and Admin with the role selector. The workspace owner’s role can’t be changed here.
  • Suspend removes a member’s access immediately; Activate brings them back. Remove takes them out of the workspace.
  • Pending invites can be re-sent or revoked.
  • At least one active admin must remain, and you can’t demote yourself if you’re the last one.

Settings access by role

  • All members: General (view), Agents, Usage, Connections, Secrets, Devices, and Runtime policy (view). Admin-only controls on these pages render read-only.
  • Admins: Members, Cycles, Audit log, Billing, Trash, Data model, and Task configuration, plus editing the workspace name and Runtime policy.
  • Owner: the Danger zone. Deleting the workspace also requires a recent sign-in.

Item visibility

Every shareable item has an owner and one of three visibility levels:

  • Private — only the owner. The default for new items.
  • Team — shared with one or more teams. What a teammate can do depends on their role in that team.
  • Workspace — everyone in the workspace can view it. Editing still requires being the item’s owner or a workspace admin.

Not every item supports every level:

Item Private Team Workspace
Project
Objective
Document
Workflow
Record type (applies to its records)
Activity feed post

Where to change sharing

  • Projects and Objectives: the access selector in the create/edit form.
  • Documents: the details sidebar on the document page, which also shows the owner.
  • Workflows: the workflow settings sidebar in the editor.
  • Records: records inherit access from their record type. Set Records access on the record type page under Settings > Data model; sharing with a team applies to every record of that type.
  • Feed posts: choose Who can see this? when sharing a post.

Changing an item’s sharing or owner requires manage access: you must be its owner, a workspace admin (for non-private items), or an admin of a team the item is shared with.

Items that follow their container

Some items have no sharing controls of their own — they follow the item that contains them:

  • Tasks follow their Project. A Task with no Project is personal: only its creator sees it.
  • Milestones follow their Project.
  • Key results follow their Objective.
  • Records follow their record type.

Team roles

Sharing with a team grants access based on each person’s role in that team:

Team role Can
Viewer View shared items
Member View and edit shared items
Admin View, edit, delete, and manage sharing, plus manage the team itself

Teams can be nested. Membership in a parent team carries down, so someone on a parent team has the same access to items shared with its sub-teams. Workspace admins can create top-level teams; team admins can create sub-teams under teams they manage.

See Projects, Tasks & Teams for creating teams and managing their members. Teams may not be enabled in every workspace yet.

Sharing operational resources

Connections, secrets, devices, and agent identities use the same private / team / workspace model with stricter rules, because they carry credentials and capabilities:

  • Each is private to its owner until shared. Share them from their pages in Settings, such as Connections and Secrets.
  • Sharing with a team lets that team (and parent teams) use the resource; sharing with the workspace lets everyone use it.
  • Workspace admins get no implicit access: an admin can manage one of these resources only after it is shared with the whole workspace. Team-shared resources are managed by their owner or that team’s admins.
  • Transferring ownership is limited to the current owner, or a workspace admin once the resource is workspace-shared.

See Security for how credentials and secret values are protected.

Trash and restoring

Deleting a Workflow or Project archives it instead of destroying it. Admins can bring items back from Trash in Settings:

  • Each row shows when the item was archived and when it will be permanently deleted.
  • Restore brings an item back exactly as it was. Archived Workflows keep their Runs, and a restored Workflow’s Triggers re-arm only if the Workflow is enabled.
  • Archived labels, record types, and field sets are restored from their own settings pages instead.
  • Archived secrets can’t be restored, and deleting a Connection is permanent.

Troubleshooting

A teammate can’t see something you shared

  • Check the item’s visibility — private items are visible only to their owner.
  • For team-shared items, confirm they are an active member of that team or one of its parent teams.
  • Suspended members lose access immediately, even to items shared with them.

You can’t change an item’s sharing

  • Only the owner, a workspace admin (for non-private items), or an admin of a team the item is shared with can manage access.

An item disappeared

  • It may have been archived. An admin can check Trash for Workflows and Projects.