Users-and-Permissions - PAI Help Center

# Users and Permissions PAI has four user roles. The role you assign determines what a user can see and do across the entire workspace. This page covers the role model, how to add and remove users, and how to control access to specific projects. --- ## User Roles | Permission | Workspace Owner | Workspace Admin | Project Admin | Guest | |---|---|---|---|---| | **Project visibility** | All projects | All projects | Only projects created or assigned to | Only assigned projects | | **Campaign access** | Full | Full | Only campaigns they created | None | | **Rate card** | Can modify | Can modify | No access | No access | | **User management** | All users including admins and owners | All users except admins and owners | None | None | | **Project sharing** | Can assign any user | Can assign any user | None | None | | **Financial visibility** | Full | Full | Full | Limited | | **Organization Settings** | Full | Full | None | None | | **Payroll / AP access** | Organization-wide | Organization-wide | Assigned projects only (via project tab) | None | | **Contacts** | Full | Full | Full | Limited view | | **Tags** | Create, modify, apply | Create, modify, apply | Apply existing only | Apply existing only | ### Workspace Owner Full control over the workspace — all users, all projects, all settings. Can modify or revoke access for any user including other owners and admins. Typically limited to account holders or senior administrators. ### Workspace Admin Extensive administrative access to all projects and settings. Can manage most users but cannot modify or revoke access for other admins or owners. The appropriate role for operations managers and department leads who need full visibility without owner-level control. ### Project Admin Focused access to the projects they created or have been assigned to. Full financial visibility on their projects. Cannot access organization settings, manage other users, or see projects they haven't been assigned to. The standard role for producers and project managers. ### Guest The most restricted role. Can only access projects they've been explicitly assigned to, with limited financial visibility — specifically, they cannot see the estimate, opportunity, or financial tabs, which means they don't have visibility into the external total or overall margin. Designed for external collaborators or team members who need to work within a project (budget, call sheets, post) without seeing client-facing financial details. > [!note] > Enterprise accounts can request additional custom roles with tailored permission sets. Contact [email protected] for details. --- ## Adding Users 1. Go to **Settings → Users** 2. Click **Add User** 3. Enter the user's email, first name, last name, and select their role 4. Choose an invitation method: - **Create Only** — adds the user to the system as a contact without granting login access. Useful for users who need to exist as assignees or contacts before they're ready to log in. - **Create and Invite** — sends an invitation email immediately so the user can activate their account. > [!tip] > Consider creating users without inviting them first. This lets you complete their project assignments and role configuration before they receive their welcome email. --- ## Removing Users To remove a user, access their record in **Settings → Users** and use the delete action in the table. Deletion immediately revokes all access to your organization and any projects they were assigned to. > [!warning] > PAI archives rather than permanently deletes user records, which preserves the history of their actions in project records. An archived user cannot log in, but their past contributions remain attributed to them. --- ## Assigning Access to Projects For users with restricted roles (Project Admin or Guest), you control which projects they can see through one of three assignment methods. ### By Project Assign a user directly to a specific project. Navigate to the project and add them as a contact or collaborator. Changes take effect immediately. Workspace Owners and Admins don't need project assignments — they can see everything. ### By Campaign Assign a user to a Campaign. They'll automatically gain access to all projects within that campaign. Note: campaign-assigned users can see the individual projects but cannot view the campaign itself. ### By Client Assign a user to a client record and they'll automatically gain access to all existing and future projects associated with that client. 1. Navigate to the client record 2. Open the **Assignments** tab 3. Type the user's name to assign them This is the most efficient method for team members who consistently work with a specific client — account managers, dedicated creative teams, or producers who run all productions for a particular brand. It eliminates the need to manually assign new projects as they're created. --- ## Authentication PAI requires two-factor authentication for all users by default. After entering their password, users receive a one-time code to their email to complete login. Organizations using Single Sign-On (SSO) bypass the standard login flow — users are redirected to their identity provider instead. --- ## Activity Logging PAI maintains an audit log of user actions, including document creation and modification, estimate version updates, and invoice approvals. This provides an accountability trail across the workspace.