Roles and Permissions
XainFlow uses role-based access control (RBAC) to manage what each team member can do within a workspace. There are four roles, each with a different level of access.
Role Hierarchy
Roles follow a strict hierarchy:
Owner > Admin > Creator > Viewer
- Owners have full, unrestricted access — credit limits, model restrictions, and tool restrictions are ignored for owners.
- Admins can restrict Creators but cannot restrict other Admins.
- Creators are scoped to their assigned projects only.
- Viewers have read-only access.
Available Roles
Owner
The workspace creator. The Owner has full, unrestricted access to every setting and action within the workspace. There is exactly one Owner per workspace. Owners cannot be restricted by any access control layer.
Admin
Admins can manage members, change workspace settings, and perform most administrative tasks. They cannot delete the workspace, transfer ownership, or manage billing. Admins can set restrictions on Creators, but cannot modify the permissions of other Admins.
Creator
Creators can generate content, manage their own assets and workflows, and view shared resources. They cannot manage other members or change workspace-level settings. Creators are scoped to their assigned projects — they can only work within projects they have been assigned to.
Viewer
Viewers can browse assets, workflows, and projects but cannot generate content, upload files, or make changes. Useful for clients or stakeholders who need visibility without edit access.
Permission Matrix
| Permission | Owner | Admin | Creator | Viewer |
|---|---|---|---|---|
| Delete assets | Yes | Yes | No | No |
| Move assets | Yes | Yes | Yes | No |
| Download assets | Yes | Yes | Yes | Yes |
| Upload files | Yes | Yes | Yes | No |
| Copy assets between projects | Yes | Yes | No | No |
| Create folders | Yes | Yes | Yes | No |
| Delete folders | Yes | Yes | No | No |
| Create collections | Yes | Yes | Yes | No |
| Delete collections | Yes | Yes | No | No |
| Build workflows | Yes | Yes | Yes | No |
| Delete workflows | Yes | Yes | No | No |
| Execute workflows | Yes | Yes | Yes | No |
| Export workflows | Yes | Yes | Yes | Yes |
| Create projects | Yes | Yes | No | No |
| Create blocks | Yes | Yes | Yes | No |
| Manage workspace blocks | Yes | Yes | No | No |
| Invite members | Yes | Yes | No | No |
| Remove members | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Edit workspace settings | Yes | Yes | No | No |
| Manage billing and subscription | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
| Delete workspace | Yes | No | No | No |
Settings Page Visibility
Settings pages are only visible to members who have both the required role and plan. Pages that don't meet both criteria are hidden entirely from the sidebar — they are not shown as locked.
| Settings Page | Role Required | Plan Required |
|---|---|---|
| General | Owner or Admin | Any |
| Team | Can invite members | Any |
| Projects | Can create projects | Any |
| Project Styles | Can edit content | Any |
| Variables | Owner or Admin | Any |
| Skills | Owner or Admin | Any |
| Blocks | Owner or Admin | Any |
| MCP & API | Owner or Admin | Pro or higher (includes all Team plans) |
| Integrations | Owner or Admin | Team or higher |
| Preferences | Owner or Admin | Team or higher |
| Billing | Owner only | Any |
| Credits & Usage | Owner or Admin | Any |
| Analytics | Can view analytics | Any |
| Danger Zone | Owner only | Any |
Three-Layer Access Control
XainFlow uses three cascading layers to determine which AI models and tools a member can access. This system is available on all Team plans (Team, Business, Enterprise).
flowchart TD
A["Layer 1: Workspace Preferences\n(workspace-wide restrictions)"] --> B["Layer 2: Member Restrictions\n(per-member restrictions)"]
B --> C["Layer 3: User Preferences\n(personal defaults)"]
C --> D["System Defaults\n(fallback)"]
How it works
- Workspace Preferences — the Owner or Admin sets workspace-wide restrictions that apply to all members (e.g., "only allow Nano Banana and Recraft V3").
- Member Restrictions — the Owner or Admin further restricts individual members beyond the workspace settings (e.g., "this Creator can only use Nano Banana").
- Effective access — a member sees the intersection of workspace and member restrictions. If the workspace allows models A, B, C and the member is allowed A and B, the member can only use A and B.
- User Preferences — from the available options, the member can set their personal default model.
Default model resolution
When a member hasn't explicitly chosen a model, XainFlow resolves the default in this order:
- User preference (personal default)
- Workspace preference (workspace default)
- System default
- First available model (fallback if the resolved default is restricted)
When no restriction is set at a layer, that layer is treated as "allow all." An empty restriction list means "allow nothing" — the member is completely blocked from that category.
Workspace Preferences
Workspace Preferences let Owners and Admins control what the entire workspace can access. Available on all Team plans (Team, Business, Enterprise).
Navigate to Settings > Workspace > Preferences to configure these options.
Model and tool access
- Toggle individual image models on or off
- Toggle individual video models on or off
- Toggle individual AI Suite tools on or off
- At least one image model and one video model must remain enabled
Workspace defaults
- Default image model for the workspace
- Default video model for the workspace
- Default gallery view mode
Generation limits
- Max images per generation (1–4 or unlimited)
- Custom resolution toggle (enable or disable)
- Default video resolution (480p, 720p, or 1080p)
- Default video duration (4s–12s)
- Audio default (enabled, disabled, or no default)
- Allowed image aspect ratios
- Allowed video aspect ratios
Restricted models are completely hidden from model selectors — members don't see them at all. Restricted AI Suite tools are hidden from the AI Suite hub. If a member navigates directly to a restricted tool's URL, they see an "Access Restricted" message.
Member Limits
On Team plans (Team, Business, Enterprise), Owners and Admins can set per-member restrictions to control costs and access.
Navigate to Settings > Workspace > Team, click a member, then open the configuration panel.
| Setting | Options |
|---|---|
| Monthly credit limit | Unlimited, blocked (0), or a specific cap |
| Allowed models | All models, none, or a specific list |
| Allowed tools | All tools, none, or a specific list |
The member configuration only shows models and tools that are already available at the workspace level. If the workspace restricts to models A, B, and C, you can only choose from A, B, and C when configuring a member.
Credit logic
- Team workspaces have a shared credit pool (credits per seat multiplied by the number of seats).
- Each member can have an individual monthly cap.
- When a member generates content, the system checks the lower of their individual limit and the remaining workspace pool.
- Credits reset each billing period.
Use member limits to control costs on shared workspaces. For example, restrict junior team members to lower-cost models while giving senior creatives full access.
Related Pages
- Managing Members — invite, remove, and change roles
- Workspaces Overview — understand workspace types
- Workspace Settings — configure workspace identity and storage
- Plans Overview — see which plans support team features