Permissions

Atomic gives fine grained control of the permissions assigned to team members, so you can configure them to match your organization’s roles.

Permissions overview

Workbench team members can be assigned to one or more groups. Each group has access to roles. Each Role gives access to specific resources. We’ll cover what each of these different levels of access are in detail below, so you can configure your account to best suit your organization.

By default a new Atomic organization comes with three roles (Owner, Admin, and Editor), each with default permission levels outlined in the Permissions for default roles table.

Resource

There are many different resource types in the Atomic Workbench which Workbench members can interact with.

Each resource type has up to three permissions, which specify the actions that can be taken by the member for that resource:

View
Edit
Admin

Some resources only offer a limited set of actions, for example 'Activity log' can only be viewed.

See the Permissions resources section for a description of each different resource and the access available.

Role

A role is a collection of one or more permissions. For example, a custom role called "Card editor" could have the permission to edit the card templates resource as well as the permission to view the theme resource.

Create a role

In the Workbench Members area, select the ‘Role’ tab, select ‘Create new role’
Give the new role a name and description
Select each resources and its corresponding permission level
Select ‘Create role’

Update a role

Select the role from the Workbench Members area.
Make the required changes (add or remove permissions to a resource, and/or add additional resources)
Click Update role button in top right corner.
Refresh the page when you're making changes to permissions for your own logged in workbench user for the changes to take effect.

Groups

A group is a collection of roles, based on particular job functions. Groups can be scoped to all or only specific environments. By default a group is assigned the role for all environments in the organization. For example, a “Card creator” role and a “Theme viewer” role.

Create a new group:

In the Workbench Members area, select the ‘Groups’ tab, then ‘Create new group’
Give the new group a name and description
Select the Role(s) the group will have access to
(optional) Select the specific environments. See the comment below about resources being scoped to the environment or organization level.
Select ‘Create group’

Resources are scoped to the environment or the organization level

Some permissions can not be limited to an environment level, because their corresponding resource has an organization-wide scope.
Read more in the Scoping of resources section to understand what this means for your setup.

Configure permissions for your team

Team members

Workbench members can be given memberships to one or more groups. Based on those groups they’ll be granted permission to access the specified resources and environments.

workbench user group assignment permission required

Only workbench members with permissions to the ‘Workbench user group assignment’ resource can add or remove workbench members from groups.

Invite a new workbench member

Click the 'manage' button in the bottom left corner and select Workbench members.
Click ‘invite new member’.
Add their first and last name, email address, then select the Group(s) they will have access to.
Select ‘Invite’ to send them an invite via email.

Disable a workbench member

Click your avatar in the bottom left corner > Workbench members
Select the overflow menu for the team member you wish to disable, and select ‘Disable’.

Scoping of resources

Some resources can be limited to one or more environments, other resources have permissions that are set on an organization level. The list of permissions that can only be applied to the whole organization are listed in the Organization-scoped workbench resources section of the Permissions resources guide.

To limit access of permissions to certain environments only, you need to explicitly select the environment names the group does have access to. If no environment has been selected, the group has access to all environments.

Any groups that are limited to specific environments will not have access to any of the resources that are controlled by organization-level permissions. To grant workbench members access to an organization-level resource, make them part of a role and a group that has explicit access to (one or more of these) organization-level permissions, ensure the group is scoped to allow access to all environments.

Example of an environment and organization scoped permission group

A group "analysts" needs:

access to the analytics exporter for 1 (test) environment
access to the audit log (an organization level resource)

The way to achieve this, is by creating 2 roles and assigning them to 2 groups. It's good practice to use the same name for a role and its corresponding group.

the "analytics - test" role has view permission to the analytics exporter resource. The "analytics - test" group is scoped to only allow access to the "test" environment within the organization
the "audit log" role has access to the audit log and the "audit log" group has access to all environments

Secure folder mode and per-folder access

Preview feature

Secure folder mode is in preview and may be subject to change. Please contact us to provide feedback.

By default, every member who can view Action Flows can see every folder in an environment. When teams managing distinct product areas should not have visibility into each other's Action Flows, an administrator can turn on secure folder mode for an environment. Once enabled, each folder has its own access list of groups: a member only sees a folder (and the Action Flows filed in it) if at least one of their groups appears on that folder's access list, or if their role grants Workbench folder: Admin.

There are three pieces:

The environment-level secure folder mode toggle, which switches the workbench from "everyone sees every folder" to "folder access lists are enforced".
The new Workbench folder resource permission (view / edit / admin), which controls what a group can do once it has access to a folder, and whether a role can bypass the access list entirely.
The per-folder Access panel, which lists the groups that can see and use that folder.

Turning on secure folder mode

Secure folder mode is set per environment by a member with the Environment: Admin permission. To turn it on:

Open Configuration for the environment.
Go to Security → Secure folder mode.
Toggle Enable secure folder mode and confirm.

When the toggle is off, all folders are visible to all members of the environment (the original behavior). When it is on, the per-folder access list is enforced for every member except those whose role grants Workbench folder: Admin.

warning

Turning the toggle off again immediately exposes every folder to every member who can view Action Flows. Confirm with your team before disabling.

Granting groups access to a folder

Members whose role grants Workbench folder: Admin manage per-folder access:

On the Action Flow dashboard, select the folder.
Open the Access panel for that folder.
Add the groups that should be able to see and use the folder, and remove any that shouldn't.
Click Save.

The Add all groups shortcut populates the list with every group in the organization in one step, which is useful when you want a folder to remain broadly accessible after turning on secure folder mode.

Sub-folders inherit visibility from their access list, so a group can be granted access to a sub-folder without seeing its parent. Access lists are per-folder.

Workbench folder permission levels

Level	What it allows
View	See folders the member's groups have access to. Action Flows filed in those folders appear in the dashboard, the folder browser, the Add-to-folder picker, and the Insights dashboard.
Edit	Everything in View, plus create sub-folders inside folders the member can access, move Action Flows between accessible folders, and rename folders the member can access.
Admin	Everything in Edit, plus bypass folder access lists entirely (see every folder, including the Uncategorized filter), manage per-folder access panels, and create new top-level folders. The environment-level secure folder mode toggle still requires Environment: Admin.

Workbench folder: Admin is the ACL bypass. Grant it only to roles that need to administer folder structure or audit content across teams.

How access combines across groups

A member's access to a folder is the union of every group they belong to:

If any of their groups appears on the folder's access list, they can see the folder.
If their role grants Workbench folder: Admin, they see every folder regardless of access lists.
Groups scoped to a specific environment apply to folders in that environment only.

What members see when secure folder mode is on

On the Action Flows list page:

The folder panel shows only the folders the member can access. A padlock icon next to Folders indicates the environment is in secure folder mode.
The Uncategorized filter is hidden for members without Workbench folder: Admin, since unfiled Action Flows have no access list to scope them. An Unfiled Action Flows banner is shown to administrators so they can move stray flows into folders.
The engagement stats panel and the + Create folder button are gated on folder access - the create-folder affordance is hidden for members who only have Workbench folder: View, and shown as a disabled placeholder when access is partial.
New sub-folders can still be created inside accessible folders by members with Workbench folder: Edit or higher.

On the Insights dashboard:

The Folders filter is pre-populated with the member's accessible folders, and tiles show data scoped to Action Flows in those folders.
Saved reports whose folder filters fall outside the accessible set are hidden, and saved reports can't be created or updated to filter on folders the member can't access.

Permissions resources

This document contains a list of each unique resource type, with a description of each, and the permissions available for that resource.

Each resource type has up to three permissions available, which specify the actions that can be taken by the member for that resource. The acronym CRUD in the table below stands for Create, Read, Update and Delete permissions. Edit permissions include view permissions, and admin permissions include edit permissions.

Workbench resources

Resource	Description	View Permission	Edit Permission	Admin Permission
Action Flow	View, create, edit, and delete Action Flows. Access can optionally be scoped to specific folders.	View and browse Action Flows; view media library	Create, edit, and delete Action Flows; upload and delete media library assets	n/a
API authentication controls	Used to authenticate your requests to the Atomic API	List credentials	CRUD	n/a
Analytics exporter	Access to view analytics and download batched analytics sets	Download & view analytics	n/a	n/a
Audit log	Log of workbench members’ actions within your organization (org scoped)	View own audit log entries	n/a	View others' audit log entries
Card instance	An instance of a card template sent to a customer	View log and analytics	Send cards from workbench	Cancel sent cards
Insights	Access to the Insights dashboard and analytics	View the Insights dashboard and saved reports	Save, refresh, and delete saved Insights reports	n/a
Card template	Used to view, send, edit and publish card templates	View card templates and media, send test cards	Edit draft card templates and media	Publish and archive card templates
Client certificates	Used to view and update client certificates for mTLS	View and use client certificates	Add, replace, and change client certificates	n/a
Connectors	Configuration for incoming webhook connectors	View	CRUD	n/a
Container	Configures card streams within your app	View	CRUD	n/a
Customer	A user of your web and mobile applications	n/a	n/a	CRUD
Customer Center	Access to the Customer Center	View the Customer Center	Send Action Flows to customers from the Customer Center	n/a
Environment	Each environment within an organization is a separate space, with separate configuration	View environment name	Create and edit name	Deactivate and edit custom fields
Notifications	Push notification configuration details for each SDK platform	View config details	CRUD	n/a
Organization	Atomic customers are typically given one organization. Each organization contains multiple environments (org scoped)	View name and preferences	Edit name and preferences	n/a
Override card approval	Enables a member to approve on behalf of any approval group	n/a	n/a	Approve on behalf of any approval group
Role	An identity with specific permissions. A role can be assigned to 1 or more groups, giving a set of permissions to all members of that group (org scoped)	View all roles and their permissions	Create and edit roles	n/a
SDK API key	Needed for SDK integrations, and to configure allowed JWT issuers	View API key	CRUD	n/a
Segment	Subset of customers with common characteristics	View which filters are applied	Create and edit segments	n/a
Stream	A collection of cards which can be assigned to 1 or more stream containers in your apps	View	CRUD	n/a
Tag	Tags are available when filtering customers	View	CRUD (inc user tags)	n/a
Theme	Theming configuration for stream containers	View	CRUD	n/a
credentials	Authentication credentials for webhook and Action Flow send-request requests	View	CRUD	n/a
Webhook request log	Status and metadata for outgoing webhook requests	View metadata	n/a	n/a
Webhook subscription	Requests made from Atomic to external services	View	CRUD	n/a
Workbench folder	Controls visibility of Action Flow folders when the environment is in secure folder mode. View / Edit grant access scoped by per-folder access lists; Admin bypasses access lists.	See folders the member's groups have access to, and the Action Flows inside them	Create sub-folders, move Action Flows between accessible folders, rename accessible folders	Bypass folder access lists, manage per-folder access, create top-level folders
Workbench member	A member of the workbench (org scoped)	View	CRUD	n/a
Workbench member group	Controls workbench member groups and their associated roles (org scoped)	View	CRUD	n/a
Workbench member group assignment	Controls assignment of workbench members to groups (org scoped)	View	CRUD	n/a

Example permission sets

Card approval

People who only need to approve cards can be given a view permission on the card template resource - no other permissions are needed.

Insights dashboard

People who only need to read insights data need view permission on the Insights resource. This lets them open the dashboard and any reports their team has saved, but the Save, Refresh report, and Delete report buttons will not appear.

To let someone create, refresh, or delete saved reports, give them edit permission on the same resource. Edit also includes view access.

Media library

Browsing the media library requires view permission on either the Card template or Action Flow resource. Uploading and deleting media library assets requires edit permission on either resource. Either grant is sufficient - members do not need both.

Organization-scoped workbench resources

Some resources are scoped to the organization level as opposed to the environment level. This means that permissions to these resources can't be limited to an environment.

These resources are:

audit log
organization
request debugger
role
workbench member
workbench member group
workbench member group assignment

See the Scoping of resources section for a further explanation and a worked example of how to create a group with environment-level scoped resource permissions as well as organization-level scoped resource permissions.

Permissions for default roles

By default your Atomic account comes with three groups: Owner, Admin, and Editor.

This table describes the default permissions each of these roles has:

Resource	Owner	Admin	Editor
API authentication controls	Edit	Edit
Analytics exporter	View	View
Card instance	Edit	Edit	View
Insights	Edit	Edit
Card template	Admin	Admin	Admin
Client certificates	Edit	Edit	View
Container	Edit	Edit	View
Customer	Admin	Admin
Environment	Admin	Admin	View
Notifications	Edit	Edit
Organization	Edit	Edit	View
Override card approval	Admin	Admin	n/a
Request debugger	Edit	Edit
Role	Edit	Edit
SDK API key	Edit	Edit
Segment	Edit	Edit
Stream	Edit	Edit	View
Tag	Edit	Edit	View
Theme	Edit	Edit
Credential	Edit	Edit
Webhook request log	View	View
Webhook subscription	Edit	Edit
Workbench folder	Admin	Admin	Edit
Workbench member	Edit	Edit
Workbench member group	Edit	Edit
Workbench member group assignment	Edit	Edit

Permissions overview​

Resource​

Role​

Create a role​

Update a role​

Groups​

Configure permissions for your team​

Team members​

Invite a new workbench member​

Disable a workbench member​

Scoping of resources​

Secure folder mode and per-folder access​

Turning on secure folder mode​

Granting groups access to a folder​

Workbench folder permission levels​

How access combines across groups​

What members see when secure folder mode is on​

Permissions resources​

Workbench resources​

Example permission sets​

Card approval​

Insights dashboard​

Media library​

Organization-scoped workbench resources​

Permissions for default roles​