Roles & access
16 system roles and 50+ permissions. Permission-based RBAC: code checks permissions, not role names — custom roles work just like system ones.
Principles
- Every access check happens at the permission level, never the role's name.
- Permissions are granular:
project.read,project.update,project.delete. - Custom roles are a set of permissions. An Admin creates them in
Settings → Roles. - Access is scoped by project, phase, or customer — not just by tenant.
System roles
- Admin
- Full workspace access, billing, security settings.
- Implementation Manager
- Manages projects: creates, assigns, closes phases. Sees every project.
- Implementation Engineer
- A technical role for integrations and configuration. Access to assigned projects.
- CS Manager
- Sees the CS metrics portfolio, doesn't edit tasks.
- Read-only Viewer
- View only. Handy for audits or executive reviews.
- Customer Owner
- The primary contact on the customer's side. Sees their whole project.
- Customer Contributor
- Fills out forms and closes their own tasks in the portal.
Permissions
The full list lives in Settings → Roles → Permissions catalog. Groups:
tenant.*— workspace management.project.*,phase.*,milestone.*,task.*form.*,file.*,comment.*customer.*,user.*automation.*,integration.*audit.read,billing.*
Creating a custom role
- Open
Settings → Roles → New role. - Name the role (e.g. “Implementation Lead”).
- Pick permissions from the catalog.
- Optionally: limit the scope (only tagged projects, only specific templates).
- Save it, and assign it to users as usual.
MFA is required for every role with billing.* or tenant.update. On Enterprise you can make MFA mandatory for everyone.
SSO and SCIM
OIDC and SAML SSO are available on Business+. SCIM auto-provisioning is on Enterprise. Mapping an IdP group to a Pegalio role is configured in Settings → SSO → Group Mapping.