PegaliodocsBack to home

Documentation/Administration

Roles & access

16 system roles and 50+ permissions. Permission-based RBAC: code checks permissions, not role names — custom roles work just like system ones.

Principles

  • Every access check happens at the permission level, never the role's name.
  • Permissions are granular: project.read, project.update, project.delete.
  • Custom roles are a set of permissions. An Admin creates them in Settings → Roles.
  • Access is scoped by project, phase, or customer — not just by tenant.

System roles

Admin
Full workspace access, billing, security settings.
Implementation Manager
Manages projects: creates, assigns, closes phases. Sees every project.
Implementation Engineer
A technical role for integrations and configuration. Access to assigned projects.
CS Manager
Sees the CS metrics portfolio, doesn't edit tasks.
Read-only Viewer
View only. Handy for audits or executive reviews.
Customer Owner
The primary contact on the customer's side. Sees their whole project.
Customer Contributor
Fills out forms and closes their own tasks in the portal.

Permissions

The full list lives in Settings → Roles → Permissions catalog. Groups:

  • tenant.* — workspace management.
  • project.*, phase.*, milestone.*, task.*
  • form.*, file.*, comment.*
  • customer.*, user.*
  • automation.*, integration.*
  • audit.read, billing.*

Creating a custom role

  1. Open Settings → Roles → New role.
  2. Name the role (e.g. “Implementation Lead”).
  3. Pick permissions from the catalog.
  4. Optionally: limit the scope (only tagged projects, only specific templates).
  5. Save it, and assign it to users as usual.
Security

MFA is required for every role with billing.* or tenant.update. On Enterprise you can make MFA mandatory for everyone.

SSO and SCIM

OIDC and SAML SSO are available on Business+. SCIM auto-provisioning is on Enterprise. Mapping an IdP group to a Pegalio role is configured in Settings → SSO → Group Mapping.