How do Workiva permissions work?
Roles control which features each user has access to in a workspace. Workspace Owners and Org Workspace Admins can assign roles to workspace members to set what those members can do.
Permissions, on the other hand, determine the level of access each user has to specific resources within a workspace. Permissions are assigned to individual files or objects; members can either be a file owner, editor, or viewer.
In summary:
-
Roles provide access to features, such as Filing or XBRL.
-
Permissions provide access to documents and data, such as a specific spreadsheet or section.
How are Chains permissions different?
The Chains permission model is built on the same principles as the Workiva permission model, but there are a few key differences:
- User groups are an optional feature of Workiva permissions, but they're required when setting up Chains permissions.
- Permissions are managed within Chain Builder — separate from the rest of Workiva.
- Permissions can be applied to individual environments and chains. These concepts don't exist elsewhere in Workiva.
Because of these differences, you will need to jump between the main Workiva platform and Chain Builder when setting up permissions,.
Note: User groups can technically be ignored in Chains, but doing so means every member of your workspace will have full access to all chains and chain settings. This is not recommended.
What happened to the old Chains permission model?
Prior to April 2023, Chains used an all-or-nothing permissions model which depended entirely on the legacy Chain Owner role. This single role provided full access not just to Chain Builder, but to all Chains settings, admin abilities, and run history. In effect, this meant every workspace member with access to Chain Builder had full and unrestricted access.
This permission model can still be used today — you could theoretically just assign the Chain Owner role to anyone who needs Chains access — but it's not recommended.
How do I set up Chains permissions?
Because permissions are managed separately from the rest of Workiva, a few additional steps are required when setting up Chains permissions.
In short:
- In Workiva, create user groups and assign members to them.
- In Workiva, assign the Chain Builder role to each eligible member of your workspace. This role grants access to the Chains feature but no other abilities.
- In Chain Builder, assign permissions to each user group created in Step 1. This determines what each group and group member can do with the Chains feature.
For step-by-step instructions, check out the following article: Assign roles and permissions in Chains
What does each role and permission do within Chains?
See our Chains roles and permissions article for a detailed explanation.
How are Chains permissions tiered?
Chains permissions are managed from the top-down so that permissions can only be granted by another user with an equal or higher level of access. This means an administrator at the org level can assign roles to an administrator at the workspace level, who in turn can assign roles to an administrator at the environment level.
Org security admin vs. Org chain security admin vs. Chain security admin
These similarly named roles each fill a unique role within Workiva. The key difference is that the Org Security Admin role is a broad role with many responsibilities across the Workiva platform, while the Org Chain Security Admin and Chain Security Admin roles are unique to Chains.
Org security admin
The Org Security Admin is responsible for enabling and disabling connectors in Workiva. This organization-wide role has other abilities within Workiva and is not unique to Chains.
Once a connector is enabled, the Org Security Admin largely cedes control to two Chains-specific roles that are responsible for managing settings within Chains:
- Org Chain Security Admin: This role manages connections and runners across workspaces. In other words, it configures the connectors.
-
Chain Security Admin: This role manages and assigns permissions within the assigned Chains workspace.
How do I assign an Environment Security Admin?
The Environment Security Admin is an unofficial "role" assigned to users who will administer a single environment in a workspace. A Chain Security Administrator can assign this role to individual users by editing their profile in Chains; the newly minted Environment Security Administrator can then assign permissions within that environment.
Learn more: Assign the Chain Security Admin role to an environment
How are permissions assigned by the Chain Security Admin?
The Chain Security Admin assigns permissions to individual user groups from the Settings > Users & Permissions screen in Chains.
Learn more: Assign permissions to user groups and environments in Chains
How do I assign permissions to an individual chain?
The Chain Security Admin can set permissions for an entire workspace, or any single chain within that workspace.
Learn more: Assign permissions to individual chains
Link directory for Chain Builder permissions
- Assign roles and permissions in Chains
- Chains roles and permissions explained
- Assign the Chain Security Admin role to an environment
- Assign permissions to user groups and environments in Chains
- Assign permissions to individual chains