PPM Role Hierarchy
The PPM module uses a layered role system that combines tenant-level permissions with project-level roles. This page explains how the roles relate to each other and what each role can do.
Two layers of access
Access to PPM data is controlled at two levels:
- Tenant level — determines whether a user can see PPM features at all
- Project level — determines what a user can do within a specific project
A user must have appropriate access at both levels to interact with a project's work items.
Tenant-level roles
Every user in the system has a tenant-level role that provides baseline PPM access:
| Role | PPM access |
|---|---|
| Tenant staff | Can see the PPM menu and be added to projects. Cannot see any project data until explicitly added as a project member. |
| External user | Cannot see the PPM menu by default. Can only see projects where they have been explicitly granted the Project external role. |
Tenant staff are internal team members — employees, contractors, or other users who belong to the organisation. External users are people outside the organisation who may need limited visibility into specific projects (e.g. a client reviewing progress).
Project-level roles
When a user is added to a project, they are assigned one of these roles:
| Role | Capabilities |
|---|---|
| Project administrator | Full control: manage members, configure statuses and categories, create milestones, delete the project. Can see all work items including confidential ones. |
| Project user | Create, edit, and manage work items. Can see all non-confidential work items, plus confidential items they are assigned to, watching, or explicitly granted access to. |
| Project viewer | Read-only access. Can see all non-confidential work items and confidential items they are explicitly granted access to. Cannot create or edit work items. |
| Project external | Limited read-only access for external users. Can see non-confidential work items and confidential items they are explicitly granted access to. Designed for client or stakeholder visibility. |
How the roles layer together
The effective permissions for a user are the intersection of their tenant-level and project-level roles:
Tenant staff + Project administrator → Full project control
Tenant staff + Project user → Create and manage work items
Tenant staff + Project viewer → Read-only access
Tenant staff + (no project role) → Cannot see the project at all
External user + Project external → Limited read-only access
External user + (no project role) → Cannot see PPM at all
This means that being a tenant staff member does not automatically grant access to any project. Each project explicitly controls its membership, and users only see data for projects they belong to.
Confidentiality interaction
The confidential flag on work items adds a further layer on top of roles. Even within a project, a confidential work item is only visible to:
- Project administrators (always)
- The work item's assignee
- Users watching the work item
- Users explicitly granted access via authorisation tuples
A project user or viewer who is not in one of these groups will not see the confidential item in lists or search results. For more detail, see Confidentiality.