The three roles (Owner, Admin, Member)
HighAdvocacy uses three roles. Each user has exactly one role per workspace. Permissions are enforced on the backend; what you see in the UI is just a layer on top.
- Owner is an account-level role. Owners have implicit access to every workspace in the account, can manage account settings, can create and delete workspaces, and cannot be removed from any workspace. An account can have more than one Owner.
- Admin is a workspace-level role. Admins manage day-to-day operations inside the workspaces they belong to: settings, notifications, users, and campaigns. Admins do not see account settings or the account user directory.
- Member is a workspace-level role. Members can view the workspace and approve or reject submissions, but cannot create or edit campaigns, cannot manage users, and do not see workspace settings.
A user can hold different roles in different workspaces. Someone might be Admin in one workspace and Member in another. Roles do not cascade across workspaces unless the user is an Owner.
What each role can do (full matrix)
The matrix below covers every protected action.
| Capability | Owner | Admin | Member |
|---|---|---|---|
| View account settings | Yes | No | No |
| Manage account-level user directory | Yes | No | No |
| Create workspace | Yes | No | No |
| Delete workspace | Yes | No | No |
| View workspace | Yes (all) | Yes (assigned only) | Yes (assigned only) |
| Edit workspace settings (General, Profile, Security, Users) | Yes | Yes | No |
| Edit notification settings (End-user, Team alerts, Integrations) | Yes | Yes | No |
| Invite users to workspace | Yes | Yes | No |
| Assign workspace roles (Admin, Member) | Yes | Yes | No |
| Promote a teammate to Owner | Yes | No | No |
| Remove users from workspace | Yes | Yes (except Owner) | No |
| Create campaign | Yes | Yes | No |
| Edit campaign | Yes | Yes | No |
| Enable or disable campaign | Yes | Yes | No |
| Approve submission | Yes | Yes | Yes |
| Reject submission | Yes | Yes | Yes |
Forbidden actions are hidden in the UI, not just disabled. A Member will not see a Create campaign button at all, rather than see a greyed-out one.
Account-level vs workspace-level scope
The split between account-level and workspace-level matters because it explains why some surfaces only show up for some users.
- Account-level surfaces include account settings, the account-level user directory, workspace creation, and workspace delete. Only Owner can access these. They live above the workspace switcher.
- Workspace-level surfaces include workspace settings, notifications, users, campaigns, and submissions. Owner sees these in every workspace. Admin and Member see them only in workspaces they belong to.
Members and Admins logging in with no workspace assignments at all are signed out with an access-removed message. The product does not keep users with zero workspace memberships in the account directory.
Multiple Owners on one account
HighAdvocacy supports more than one Owner per account. This is intentional: a single-Owner account is fragile if that person is out, has lost access, or leaves the company.
Multiple Owners share full account-level power. Each Owner:
- Has implicit access to every workspace, including ones they did not create.
- Can manage account settings and the account user directory.
- Can create, delete, and restore workspaces.
- Can promote another Admin to Owner.
- Cannot be removed from any workspace.
Promotion to Owner is how new Owners are added; there is no separate Owner invite. The Admin must already exist in the account before they can be promoted. Demotion follows the same path in reverse: an Owner can be demoted back to Admin as long as the account still has at least one remaining Owner.
There is no transfer step. Ownership is additive: promoting someone to Owner does not change anyone else’s role.
Role changes mid-session
When you change someone’s role while they are signed in, the new permissions apply on the next authorization check, which usually means their next page navigation or API call.
In practice, this means:
- A demoted user is redirected away from any page they no longer have access to, the next time they try to use it.
- An upgraded user does not need to sign back in. New menu items and actions appear on their next page load.
- Hidden actions are hidden again, not greyed out. The UI re-renders against the new role.
You do not need to ask the affected user to refresh or sign out. The redirect happens automatically.
When a teammate loses access entirely
A user who is removed from their last workspace is removed from the account directory at the same time. The product does not keep accounts with zero workspace memberships sitting around.
If that user is signed in when this happens, they are signed out on the next authorization check with an access-removed message. They will need a fresh invite to return.
Owners are an exception: an Owner cannot be removed from any workspace and cannot have their last workspace stripped away. To remove an Owner from the account, demote them to Admin first, then remove them from workspaces in the normal way.
How to promote, demote, or remove someone
- Promote Admin to Owner. From the account user directory, open the user and change their role to Owner. They immediately gain access to every workspace in the account. Owner-only.
- Demote Owner to Admin. From the account user directory, open the Owner and change their role to Admin. The account must keep at least one Owner. Their workspace memberships are preserved, but they lose implicit access to workspaces they were not explicitly added to. Owner-only.
- Change Admin to Member (or vice versa) inside a workspace. From the workspace users area, open the user and change their role. This affects only that workspace. Owner or Admin.
- Remove a user from a workspace. From the workspace users area, remove them. If that was their last workspace, they are also removed from the account. Owner or Admin (Admins cannot remove an Owner).
Every role change is recorded in the audit log along with the actor, the target, the workspace if applicable, and the before-and-after roles.
For step-by-step invite instructions, see Invite teammates.