Roles and Permissions
Overview
SageScreen uses a role-based access model layered on top of council-level data isolation. Every user has a role that determines what they can do, and a council assignment that determines what data they can see. No user can access another council's data unless they hold a global administrative role.
Roles fall into two categories: council roles (scoped to a single organization's data) and global roles (system-wide access for internal administration). Most users operate within council roles.
Council Roles
Council roles are the standard roles for organizations using SageScreen. Each council role is bound to a specific council, and the user can only interact with that council's sages, screens, candidates, and settings.
Council Admin
Full control of the council. This is the primary administrative role for an organization.
- Create, manage, and deploy Sages
- Create and manage Screens (invite, cancel, view results)
- View and download all reports and results
- Manage council settings and configuration
- Manage billing and account
- Add, edit, and remove users within the council
- Access all council-level features
Council Power User
Operational access without billing or council configuration control.
- Create, manage, and deploy Sages
- Create and manage Screens
- View and download reports and results
- Add and manage users (cannot edit Council Admins or global roles)
- No access to billing, account settings, or council configuration
Council Member
Read-only access to screening data.
- View Sages and their configurations
- View Screens and their statuses
- View reports and results
- No creation, editing, or management capabilities
- No access to billing, users, or settings
What Each Role Can Do
Note
* Council Power Users cannot edit users who hold the Council Admin role or any global role.
Council Isolation
All data in SageScreen is scoped to a council. Sages, screens, results, and user records are tagged with a council identifier, and all queries filter by the user's council context. This means:
- A Council Admin in Organization A cannot see Organization B's sages, screens, candidates, or results.
- Users cannot be moved between councils after assignment.
- Each council operates as a fully independent tenant.
Users who belong to multiple councils can switch between them, but they only see one council's data at a time. The active council determines what appears in every list, grid, and detail page.
User Management
Council Admins and Council Power Users can add users to their council. When creating a user, you assign their role (Council Admin, Council Power User, or Council Member) and their council membership. Role assignment determines their capabilities immediately.
Council Power Users have a restriction: they cannot edit or remove users who hold the Council Admin role or any global role. This prevents privilege escalation within the council.
Warning
Users are assigned to a council at creation and cannot be reassigned to a different council afterward. If a user needs to move to a different organization, they require a new account.
Role Upgrades
When a council transitions from a trial to a paid subscription, the account owner is automatically upgraded to Council Admin. This grants full administrative control over the council, including billing and user management, without manual intervention.
Tip
If you are a Council Power User and cannot edit a user, that user likely holds the Council Admin role. Only Council Admins can edit other Council Admins.
