User Permissions & Sharing - PAI Help Center

#users #workspace #permissions #sharing The User Management page in PAI provides a centralized interface for administering all users within your organization. This feature allows administrators to control access, assign roles, and manage permissions for everyone using the platform. ## User Overview and Access - The User Management page displays all users associated with your organization - Click on any user's name to access their individual user page - User pages allow you to: - Review user information - Adjust role settings - Manage permissions ## User Roles and Permissions PAI offers a user permissions model by default: # PAI User Roles and Permissions | Permission Type | Workspace Owner | Workspace Admin | Project Admin | Guest | | ------------------------- | ----------------------------------------------------------- | ------------------------------------------------------ | ---------------------------------------------------------------------- | ------------------------------------------------------ | | **Access Scope** | Can see all projects | Can see all projects | Only sees projects user created or is assigned to | Only sees assigned projects | | **Campaign Access** | Full access to all campaigns | Full access to all campaigns | Only sees campaigns user created | Cannot see campaigns / cannot be assigned to campaigns | | **Rate Card Management** | Can modify rate card | Can modify rate card | No rate card access | No rate card access | | **User Management** | Can add/revoke/modify ALL users (including admins & owners) | Can add/revoke/modify all users EXCEPT admins & owners | No user management access | No user management access | | **Project Sharing** | Can assign any user to any project | Can assign any user to any project | No project sharing capabilities | No project sharing capabilities | | **Financial Access** | Full financial visibility | Full financial visibility | Full financial visibility | Limited financial visibility | | **Organization Settings** | Full access | Full access | No access | No access | | **AP/Payroll Access** | Can see organization-wide AP/Payroll | Can see organization-wide AP/Payroll | Can only see invoices/timecards from assigned projects via project tab | No access | | **Project Contacts** | Full access | Full access | Full access | Limited contact view | | **Tags** | Can Create / Modify / and apply tags to objects | Can Create / Modify / and apply tags to objects | Can only apply existing tags, cannot create | Can only apply existing tags, cannot create | ## Role Descriptions ### Workspace Owner The highest level of access with complete control over the workspace, including management of all users, projects, and system settings. Workspace Owners have unrestricted access to all features and can modify or revoke access for any user, including other admins and owners. ### Workspace Admin Extensive administrative privileges with access to all projects and system settings. Can manage most users but cannot modify or revoke access for other admins or owners. ### Project Admin Mid-level access focused on specific projects. Project Admins can only see and manage projects they created or are assigned to. They have limited organizational access but can manage financial aspects of their projects and handle project-specific contacts. ### Guest The most restricted role, providing limited access to only assigned projects. Guests cannot access campaigns, modify system settings, or manage other users. They are also unable to see the project estimate, opportunity, or financial tab or sidebar, essentially restricting them from knowing the external total of the project and its overall margin. This role is designed for temporary or external collaborators who need specific project access to manage the internal budget, call sheet, and post. Practical Example of the Guest User Role and their Visibility Level: <iframe src="https://drive.google.com/file/d/1BPpQMmSlm2bQCz7zSCv18XYCh0_B4Fg9/preview" width="640" height="480" allow="autoplay"></iframe> > [!info] Enterprise role customization > Enterprise users can request additional custom roles with various permission sets tailored to specific needs. This allows for more granular access control beyond the default roles. ## Adding New Users <iframe src="https://drive.google.com/file/d/1KGzHdFZDVIRpjC_2zTO15TFJf9s__Dil/preview" width="640" height="480" allow="autoplay"></iframe> *Adding new users to your workspace* To add a user to your organization: 1. Click the "Add User" button on the User Management page 2. Complete the required fields: - Email address - First name - Last name - Select appropriate user role 3. Choose to either: - Create the user (adds them to the system as a contact only) - Create and invite the user (sends invitation email) and allows the user to activate an account in the workspace. > [!tip] User onboarding > When adding new users, consider creating them first without sending invitations. This allows you to complete their project assignments and role configuration before they receive their welcome email. ## User Profile Information User profiles in PAI contain important details that appear in system-generated documents: - **Name**: Appears on documents they create or modify - **Email**: Used for system notifications and listed on call sheets - **Phone Number**: Included in contact sections of production documents - **Title/Position**: Displays in contact listings for reference ## User Invitations When a new user is invited: 1. They receive an invitation email from PAI 2. Following the link in the email, they confirm their email address 3. They create a password for their account 4. They complete their basic profile information 5. Once completed, they can log in and access PAI based on their assigned permissions ## Assigning Users to Projects, Campaigns, and Clients <iframe src="https://drive.google.com/file/d/1yXDfyAbuzDH4XWD1ykFnvPO7XgfWL4Jl/preview" width="640" height="480" allow="autoplay"></iframe> Project assignment and visibility explainer video PAI offers multiple methods for controlling user access to specific projects: ### Project Assignment Method For users with restricted access roles (like Project Admin or Guest): - Administrators must explicitly assign them to specific projects - Changes take effect immediately - Users with Workspace Owner or Workspace Admin roles do not need project assignments as they can access all projects ### Campaign Assignment Method For users with restricted access roles (like Project Admin or Guest): - Administrators must explicitly assign them to specific Campaigns - Changes take effect immediately - Users assigned to Campaigns will be shared on all projects assigned to the campaign, but will NOT be able to view the campaign itself. ### Client-Based Assignment PAI allows administrators to grant users access to all projects associated with a specific client: - Navigate to the client record you want to manage - Select the "Assignments" tab in the client view navigation menu - You'll see a list of "Assigned Users" - Type in a user's name to add them to the assign them to the client - Users with active assignments will automatically gain access to: - All existing projects for this client - All existing campaigns for this client - Any new projects or campaigns created for this client in the future - This provides a streamlined way to manage access for team members who consistently work with specific clients - Client assignments are particularly useful for: - Account managers responsible for all projects with a particular client - Creative teams dedicated to specific brands - Producers who manage all productions for certain clients > [!tip] Efficient access management Use client-based assignment when a user needs access to multiple projects for the same client. This eliminates the need to individually assign projects and automatically grants access to future projects for that client. ## Removing Users To remove a user from your organization: - Access the user page in Settings - Delete the user using the delete user function in the main table - This action immediately revokes the user's access to: - Your PAI organization - Any projects they were assigned to ![[user-delete-button.png]] > [!warning] Archive vs. delete > PAI uses archiving rather than deletion to preserve the record of user actions in project history. Archived users can't access the system, but their past contributions remain attributed to them in project records. ## User Authentication Settings ### Password Policies - PAI enforces passwords for all users - Regular password changes are encouraged but not enforced ### Two-Factor Authentication - PAI supports two-factor authentication (2FA) for enhanced security - Users receive a one-time password (OTP) code to their email for verification ## Activity Logging PAI maintains logs of user activity: - Document creation and modification - Estimate version updates - Invoice approvals These logs help maintain accountability and provide an audit trail of all actions taken within the system. ## Related Topics - [[Organization Settings|Organization Settings]] © 2025 PAI Tech, Inc. [paihq.com](https://www.paihq.com/)