Workspace roles and permissions

Audience: Workspace Admins, security and compliance staff defining access policies, and team leads scoping permissions for new joiners.

Overview

Workspaces use role-based access control (RBAC). Every member is assigned exactly one of three roles. Roles govern what a member can see and do at the Workspace level. Roles do not grant signing authority over any linked Safe. Signing authority continues to be governed by the Safe contract’s owner set and threshold.

The three roles

Admin

Admins manage the Workspace itself. They can:

• Invite, remove, and change the roles of members

• Link and unlink Safes

• Edit the shared address book

• Configure Workspace settings (name, logo, security policies)

• View all Workspace activity

The Workspace creator is an Admin by default. We recommend at least two Admins per Workspace to avoid lockout if one Admin loses access.

Member

Members participate in day-to-day operations. They can:

• View all linked Safes, balances, and pending transactions

• Initiate Safe transactions (subject to Safe owner approval at signing time)

• Use the shared address book

• Comment on transactions and coordinate with other members

• View other Workspace members

Members cannot invite or remove other members, change roles, or modify Workspace settings.

Permission matrix

Note that the Sign Safe transactions row is governed by the Safe contract, not the Workspace. Only addresses listed as Safe owners can sign, regardless of Workspace role.

Changing a member’s role

1. Open the Members tab.

2. Locate the member and select the role dropdown next to their name.

3. Choose the new role and confirm.

The affected member is notified by email. Role changes take effect immediately.

Recommended role policies

• CFO / Finance lead — Member or Admin, depending on whether they manage other team members

• Treasury operator — Member

• Compliance / audit — Viewer

• External advisor or board observer — Viewer

• Engineering / DevOps managing automation — Member