Users-and-Permissions - PAI Help Center

# Users and Permissions PAI has four user roles. The role you assign determines what a user can see and do across the entire workspace. This page covers the role model, how to add and remove users, and how to control access to specific projects. --- ## Adding Users 1. Go to **Settings → Users** 2. Click **Add User** 3. Choose the account type: - **Workspace User** — grants login access. Select this for anyone who needs to work in PAI directly. - **Staff Record** — no login access, but the person can be assigned to projects and call sheets. Select this for contacts you want to track without giving them app permissions. 4. Fill in the details. Both types require email, first name, and last name. Phone and title are optional. 5. For Workspace Users, also select a **Role** and optionally set an **Account Expiration** date. The right panel previews the permissions for the selected role as you configure them. Click **Create & Invite User** — an invitation email goes out immediately so the user can activate their account. 6. For Staff Records, click **Create Staff Record**. No invitation is sent. > [!tip] > If you want to finish project assignments before a new workspace user receives their welcome email, you can create them as a Staff Record first, then convert or recreate them as a Workspace User when you're ready to give them access. --- ## User Roles | Permission | Workspace Owner | Workspace Admin | Project Admin | Guest | |---|---|---|---|---| | **Project visibility** | All projects | All projects | Only projects created or assigned to | Only assigned projects | | **Campaign access** | Full | Full | Only campaigns they created | None | | **Rate card** | Can modify | Can modify | No access | No access | | **User management** | All users including admins and owners | All users except admins and owners | None | None | | **Project sharing** | Can assign any user | Can assign any user | None | None | | **Financial visibility** | Full | Full | Full | Limited | | **Organization Settings** | Full | Full | None | None | | **Payroll / AP access** | Organization-wide | Organization-wide | Assigned projects only (via project tab) | None | | **Contacts** | Full | Full | Full | Limited view | | **Tags** | Create, modify, apply | Create, modify, apply | Apply existing only | Apply existing only | ### Workspace Owner Full control over the workspace — all users, all projects, all settings. Can modify or revoke access for any user including other owners and admins. Typically limited to account holders or senior administrators. ### Workspace Admin Extensive administrative access to all projects and settings. Can manage most users but cannot modify or revoke access for other admins or owners. The appropriate role for operations managers and department leads who need full visibility without owner-level control. ### Project Admin Focused access to the projects they created or have been assigned to. Full financial visibility on their projects. Cannot access organization settings, manage other users, or see projects they haven't been assigned to. The standard role for producers and project managers. ### Guest The most restricted role. Can only access projects they've been explicitly assigned to, with limited financial visibility — specifically, they cannot see the estimate, opportunity, or financial tabs, which means they don't have visibility into the external total or overall margin. Designed for external collaborators or team members who need to work within a project (budget, call sheets, post) without seeing client-facing financial details. > [!note] > Enterprise accounts can request additional custom roles with tailored permission sets. Contact [email protected] for details. --- ## Removing Users To remove a user, access their record in **Settings → Users** and use the delete action in the table. Deletion immediately revokes all access to your organization and any projects they were assigned to. > [!warning] > PAI archives rather than permanently deletes user records, which preserves the history of their actions in project records. An archived user cannot log in, but their past contributions remain attributed to them. --- ## Assigning Access to Projects For users with restricted roles (Project Admin or Guest), you control which projects they can see through one of three assignment methods. ### By Project Assign a user directly to a specific project. Navigate to the project and add them as a contact or collaborator. Changes take effect immediately. Workspace Owners and Admins don't need project assignments — they can see everything. ### By Campaign Assign a user to a Campaign. They'll automatically gain access to all projects within that campaign. Note: campaign-assigned users can see the individual projects but cannot view the campaign itself. ### By Client Assign a user to a client record and they'll automatically gain access to all existing and future projects associated with that client. 1. Navigate to the client record 2. Open the **Assignments** tab 3. Type the user's name to assign them This is the most efficient method for team members who consistently work with a specific client — account managers, dedicated creative teams, or producers who run all productions for a particular brand. It eliminates the need to manually assign new projects as they're created. --- ## Authentication PAI requires two-factor authentication for all users by default. After entering their password, users receive a one-time code to their email to complete login. Organizations using Single Sign-On (SSO) bypass the standard login flow — users are redirected to their identity provider instead. --- ## Activity Logging PAI maintains an audit log of user actions, including document creation and modification, estimate version updates, and invoice approvals. This provides an accountability trail across the workspace.