Every workspace member has a role that controls what they can change. The app enforces permissions on the server; the matrix in Members settings is the reference for day-to-day work.
Owner, Admin, Member, Viewer
Owner created the workspace. There is one owner. Owners can edit workspace settings, manage members, configure integrations, and edit all content. Only the owner can remove the workspace.
Admin matches owner for most management tasks (settings, members, integrations, content) but cannot remove the workspace.
Member can create and edit cards, canvases, teams, labels, comments, and board work. Members cannot open workspace settings or change membership.
Viewer can read workspace content (canvases they can access, cards, boards, comments) but cannot create or edit.
Permission matrix
In Workspace Settings → Members, click What can each role do? for the full table grouped by area: workspace and members, teams and boards, cards and labels, canvases, attachments and integrations.
Use it when deciding which role to assign on invite. The backend always wins if the UI and matrix ever disagree.
Content vs administration
Content permissions cover everyday planning: cards, canvas layout, team boards, labels, attachments on cards you can edit.
Administration covers workspace name, members, Git integration secrets, and Advisor workspace notes. Give Admin only to people you trust with membership and tokens.
Canvas owner (private canvases)
Private canvas visibility and sharing are controlled by the canvas owner, not by workspace Admin alone. Admins can still manage workspace-wide lists in settings, but opening a private canvas you were not shared on is blocked.
See Private canvases for how sharing interacts with roles.
Change someone’s role
Owners and admins change roles on the Current members tab. You cannot demote or remove the workspace owner through the UI.
Lowering someone to Viewer is immediate: they keep read access but lose edit actions on the next interaction.