As we discuss in our article introducing Roles, restricting access is vital for security and control, as well as improving ease-of-use by streamlining the UI for Users, so each person only sees what's relevant to them.

Roles (which you configure within the "Settings" Global Tool) enable Planhat admins/builders to configure permissions for Users (your colleagues using Planhat).

In this article, we'll focus specifically on the "Workflow" tab within Roles. We will deep-dive into a selection of the individual permissions, showing you exactly what features they are referring to. Each of the workflow permissions is a single simple toggle switch to enable/disable access. You will see that workflow permissions are organized into categories (starting with the "Data Management" category as shown in the screenshot below).

Click the image to view it enlarged

In this article, we will go through workflow permissions by category, in the order they appear in the app.

We don't describe every single permission in this article; for other workflow feature permissions, you can read a brief description in the Planhat app under the permission, and reach out to the Planhat team if you need further assistance.

You can click the images below to view them enlarged.

This permission controls access to the "Data" Global Tool - also called the "Data Model" Global Tool for admins/builders of Planhat.

This includes:

The "Data" / "Data Model" Global Tool is a vital part of Planhat for admins/builders (e.g. CS Ops) who are setting up and managing their Planhat tenant for their organization. You are likely to want this permission turned on for the Administrator Role and potentially the Manager Role, but not for Roles representing general Users (for greater control, and to simplify the UI for general Users).

This permission does not affect access to the Data Explorer, a feature that is designed for all/general Planhat Users.

Note that the ability to configure Health Profiles is also controlled by separate data model permissions.

This permission controls access to the "Timesheets" Home feature, which is where you can:

This permission is for general Planhat Users (rather than admins) who need specialist Service Delivery functionality (e.g. those working in Professional Services). If you don't have access to Service Delivery features to enable them, but would like to add them to your package, speak with your CSM.

There are additionally data model permissions for the Time Entry and Timesheet data models.

There is a separate workflow permission for "Time Tracking Settings" - see next section.

The "Time Tracking Settings" permission controls access to the Time Tracking section within the "Settings" Global Tool for Planhat admins/builders.

The Time Tracking settings consist of two parts (as shown in the screenshot below):

This permission is required for Planhat admins/builders whose organization is using Service Delivery features. You'll likely want this permission enabled for the Administrator Role, but not other Roles. If you don't have access to Service Delivery features to enable them, but would like to add them to your package, speak with your CSM.

There are additionally data model permissions for the Time Entry and Timesheet data models.

There is a separate "Time Tracking" workflow permission for the "Timesheets" Home feature - see previous section.

This permission controls access to logs, which can help you track and understand what's happening in your Planhat tenant - e.g. when a particular End User was created and by whom.

There are a couple of places you can view logs within Planhat:

Using logs, you can look up the history of data changes within your Planhat tenant, resolving questions such as "When did this change take place and why?"

You may choose to restrict this access to Roles for Users who are more technical, such as Administrators and Developers.

With this permission disabled, a Role will still be able to open the Logs Explorer from the Federated Search bar or click to view logs for an individual record - it's just that the logs themselves won't display, instead giving you the message "No logs found".

To fully enable this feature, you should also enable the "DevLog" data model permission - you will see an icon/tooltip by the Logs workflow permission warning you of this if appropriate (shown in a screenshot below).

You'll also need the "View" data model permissions for the relevant models to view logs.

"Rules" is a feature within the "Data" Global Tool for admins.

Each Rule is configured on a specific data model (e.g. Company, or Opportunity, etc.), and either locks the data in your chosen fields, or makes it mandatory (required) to have data in them.

You choose whether each Rule applies to just Users, or also other "actors" (such as Automations). You can optionally set conditions (either based on fields or User properties) to define when the Rule is enforced. You can even write your own custom message to display in Planhat when a User encounters locked or mandatory fields.

Field Rules are a useful tool when it comes to field and data management, as they help avoid missing data or accidental data changes.

As they are automatically applied and affect other Users, you only want fairly senior people with experience in this feature to have access - e.g. the Administrator Role, and possibly the Manager Role.

The "Import" workflow permission controls the ability to upload data (create/update multiple records - e.g. a list of Companies) via a spreadsheet, which you can do via the "Import" tool within the central Federated Search bar (screenshots below).

Importing manually can be a useful method to bring data into Planhat. Think about who within your team may need access to this ability - for example, it may be just the Administrator Role.

Note that even with this permission disabled, you're still able to add individual records (e.g. one Company at a time) via the Create Forms (e.g. also in the Federated Search - see the "Add new" options in the second screenshot below) or via the Data Explorer.

Be aware that data model permissions still apply - so you'll need the appropriate permissions for the data models of the records you're importing.

Forecasting is an important part of customer management in SaaS. Your team members managing Companies (accounts) should enter the predicted upcoming revenue into Planhat.

The "Renewals" System Report Page is where this forecasting is typically carried out, and this workflow permission is required to access the forecast columns (including "Pessimistic" and "Optimistic" if enabled) within this report.

In Roles for your Users who manage customers (typically the CSM Role), it's important that they have the ability to input forecasts in this way. You'll also likely to want the Manager and Administrator Roles to have this permission turned on too.

You can configure whether the "Pessimistic" and "Optimistic" forecasts are shown in your tenant, in addition to the standard/main forecast, within the "Revenue Setup" section in the "Settings" Global Tool.

This permission determines whether End User usage data is shown on Company and End User Profiles.

If you're using User Activities, we usually recommend this is enabled for all Roles, as this is all super useful data.

However, if you haven't set up User Activities yet, or if your End Users are anonymized, then you can disable the permission to remove this Profile element, as it would not be populated.

As the name indicates, this permission relates to Slicers, which can be used to dynamically filter several Widgets on the same Dashboard or Presentation Page.

Roles with this permission enabled will be able to create/edit/delete Slicers, via a specific section within the "Settings" Global Tool.

Roles without this permission enabled will still be able to apply/use Slicers that have already been created in your tenant.

Slicers enable you to quickly scroll through data to see how it develops over time, without having to edit Widgets individually. Slicers help you to identify any trends, such as improvements or warning signs.

You may want to restrict this permission to specific Roles if you would prefer that only certain Users can create new Slicers, to help keep your Planhat tenant tidy.

This permission enables Users (you and your colleagues) to make their email address available as a "send from" option that their team members can select.

The Role permission itself doesn't automatically enable a User's email address to be available for others to send from, but it enables this feature to be turned on. Users with this Role permission will see the "Public account usage" toggle switch in the "Email" tab in their User Profile (shown in the screenshot below). They can then choose to turn this on, if they want to make their email address available as a "send from" option.

This is particularly relevant for shared accounts such as support@yourcompany.com.

You may choose to disable this permission for some Roles, to restrict the ability of your team members to email from each other's email addresses.

This permission enables Users to send emails from "dynamic senders" (where a Team Member field is specified, and the relevant actual User name is filled in depending on the recipient), such as "Account Owner" or "Account CoOwner".

The "Email From Dynamic Sender" permission controls the ability to send emails from the "Account Owner" (Company Owner) or similar rather than from yourself. An example use case is for Managers to be able to send emails from their CSMs' email accounts if they are away from work.

This permission has some similarities to the "Email on my behalf" permission described below, as it related to multiple Planhat Users being able to email from an email address. Here though you are giving permission to a User to use other people's addresses based on their relationship to the Company; whereas in the other permission, a User can allow other people to choose to email from their name / email address.

Note that even Users without the "Email From Dynamic Sender" permission will still be able to send emails from another User's email address if the other User has "Public account usage" toggled on (described below for the "Email On My Behalf" permission).

This permission enables you to contact End Users via email (and Intercom chat messages) from Planhat.

This permission should be enabled for any Role where Users need to contact customers/prospects, so they can do so from within Planhat. Your CSM team will need this enabled; but Developers, for example, can have this turned off if they won't be reaching out to your customers.

With this permission, you can control who can see the "Unassigned" tab in the Email Manager. The Unassigned tab is home to all the emails in your Planhat tenant that haven't been automatically assigned to a Company; here you can manually assign them.

In Planhat, emails (as with other Conversations) are linked to one Company. While most of the time, it's easy for Planhat to identify which Company to associate the email with, in some cases it's less obvious.

You'll want some Planhat Users to review the "Unassigned" tab so they can manually assign any emails that couldn't be assigned automatically, but as this shows all unassigned emails (regardless of involved End Users / Companies - i.e. it's not portfolio-based), you might not want every User to have access.

This permission controls access to the "Outbound Emails" section of the "Settings" Global Tool, comprising:

Note that the permission specifically controls these settings related to outbound emails; it does not affect the visibility of the "Outgoing" folders in the "Email Manager" Home feature.

These Outbound Email settings have been separated out from the Admin Access permission (which controls access to most of the "Settings" Global Tool) enabling you to give a Role (e.g. Marketing, or Tech-Touch CS) just the ability to configure your tenant's Outbound Email settings without access to other settings not relevant to them, increasing control over your tenant and helping to streamline the UI for those Users. Saying that, you will likely want the Outbound emails permission turned on for the Administrator Role too. You won't want this permission enabled for general User Roles such as CSM.

Dashboard and Presentation Pages are great ways for you to visualize, analyze and present your data.

For these Page types, you can share insights and collaborate with colleagues by sharing them via email. Pages can be sent as a one-off, or scheduled to send on a recurring basis. The Page is sent as a PDF attachment, and can be shared with one or multiple team members.

Sharing Pages via email enables you to provide updates to the team on different metrics and insights, increasing visibility and alignment. For example, this feature could be used for updating your senior leadership every Friday evening on key customer data.

You may want to enable this feature for all Roles, or if you prefer you can only give access to Managers/Administrators.

The "App Center" is one of the Global Tools for admins. It is where you set up and manage:

The App Center is a vital part of Planhat for admins/builders of Planhat, so you'll want this permission turned on for the Administrator Role, and potentially the Developer/Manager Roles, but you won't want this turned on for Roles representing general Users of Planhat (e.g. CSM).

Although the App Center workflow permission is used to enable/disable the whole App Center, you can also control its various elements separately. To do this, you would need to have the App Center workflow permission enabled, and then disable individual permissions - listed below - if you would like to restrict access to any component feature.

Integrations are built-in tools you can use to link Planhat to external software (e.g. Salesforce, HubSpot, Intercom, Zendesk, Jira, Snowflake, and many more) and sync data between them.

In upgraded Planhat, Integrations are part of the "App Center" Global Tool for admins. If this permission is disabled for a Role, its Users can't see/access the "Integrations" section (pictured below).

Integrations are a vital part of compiling data into Planhat, your central source of truth for all customer/prospect data - and for syncing data insights out from Planhat too.

Only a limited set of Users (and therefore Roles) will need to actually set up and manage integrations. For example, this may be your Administrator and Developer Roles.

This permission controls access to the Integrations for Snowflake and BigQuery.

In upgraded Planhat (ws.planhat.com), Integrations are located within the "App Center" Global Tool.

You need the "Data Warehouse Integrations" permission enabled to view Snowflake and/or BigQuery in the main apps list (after adding them via the "+ New app" button).

With both the Snowflake and BigQuery Integrations, you can sync CRM data bidirectionally, and time-series usage data into Planhat.

It's unlikely that your general Users will need access to set up these integrations; configuring them will likely be a task for your CS Ops (e.g. with the Administrator Role) or Tech Ops (e.g. with the Developer Role).

This permission relates to building custom Automations. Automations are a way to automate actions within Planhat, and have the general basic structure of "when x happens, do y". Although we offer a range of customizable Automation templates, in some circumstances you may wish to build a custom Automation, typically with the help of your Planhat Technical Account Manager (TAM).

This specific permission ("Automation Actions - Raw JS Function") controls the ability to use "execute function" (JavaScript) action steps within Automations.

In upgraded Planhat (ws.planhat.com), Automations are located within the "App Center" Global Tool. The screenshots below show where to click to create a custom Automation and select an "execute function" step.

In complex scenarios where sophisticated data transformations are required, you might need to execute a JavaScript function, which takes a series of inputs from a previous step or related model and transforms them, returning an output that can be used in subsequent steps.

These "execute function" steps are for advanced use cases, and are not expected to be required frequently. Please speak with your TAM for help setting them up.

In terms of permissions, it's very unlikely that general Users will need access to this functionality. You may want this turned on for the Administrator and Developer Roles.

Remember that access to Automations more generally is controlled by a set of data model permissions.

"Automation Actions - Raw JS Function" and related workflow permissions enable you to be more granular with your access if required.

Remember that permissions exist on a tenant level as well as a Role level, so if you don't have access to this permission/functionality at all in your tenant, please speak to your CSM or TAM.

This permission relates to building custom Automations. Automations are a way to automate actions within Planhat, and have the general basic structure of "when x happens, do y". Although we offer a range of customizable Automation templates, in some circumstances you may wish to build a custom Automation, typically with the help of your Planhat Technical Account Manager (TAM). In upgraded Planhat (ws.planhat.com), Automations are located within the "App Center" Global Tool.

This specific permission ("Automation Events - Call A Webhook") controls the ability to use "incoming webhook" in the trigger of an Automation, and "call a webhook" in an action step of an Automation. The screenshots below show where you would select these.

Webhooks can be useful to link to external systems. There are various possible use cases. For example, you could create a custom Automation that's triggered by a survey response being submitted in a third party tool (using a webhook in the trigger), and brings that data into Planhat.

In terms of permissions, it's very unlikely that general Users will need access to this advanced Automation functionality. You may want this turned on for the Administrator and Developer Roles.

Remember that access to Automations more generally is controlled by a set of data model permissions.

"Automation Events - Call A Webhook" and related workflow permissions enable you to be more granular with your access if required.

Remember that permissions exist on a tenant level as well as a Role level, so if you don't have access to this permission/functionality at all in your tenant, please speak to your CSM or TAM.

This permission relates to building custom Automations. Automations are a way to automate actions within Planhat, and have the general basic structure of "when x happens, do y". Although we offer a range of customizable Automation templates, in some circumstances you may wish to build a custom Automation, typically with the help of your Planhat Technical Account Manager (TAM).

This specific permission ("Automation Events - Scheduled") controls the ability to schedule an Automation to run on a regular interval (e.g. every Sunday at 10 pm) rather than when a specific data change occurs.

In upgraded Planhat (ws.planhat.com), Automations are located within the "App Center" Global Tool. The screenshots below show where to click to create a custom Automation and configure the Automation to run on a schedule.

The ability to automatically trigger an Automation on a regular schedule (rather than on an ad-hoc basis in response to data changes) can be useful for a variety of scenarios.

In terms of permissions, it's unlikely that general Users will need access to the functionality to set up scheduled custom Automations. Automations can make widespread data changes (e.g. updating a lot of records at once), so it's recommended that only limited Roles have access.

Remember that access to Automations more generally is controlled by a set of data model permissions.

"Automation Events - Scheduled" and related workflow permissions enable you to be more granular with your access if required.

Remember that permissions exist on a tenant level as well as a Role level, so if you don't have access to this permission/functionality at all in your tenant, please speak to your CSM or TAM.

"Writing Assistant" is one of the native AI tools built into Planhat, which can help you in a variety of ways: improving text, summarizing text, translating text, finding action items in text, and even answering your general questions (such as "what is IBM Watson?").

The "Planhat AI Writing Assistant" permission controls whether a User with that Role can use the Writing Assistant (sees the option available to click on). Using the Writing Assistant consumes AI credits, which are available via a free trial or paid plan.

"Writing Assistant" is a fantastic way to make your life easier and you work more efficient.

This feature is useful for general Planhat Users, particularly those in customer-facing or prospect-facing teams, so you may want to enable this permission for all Roles (e.g. CSM and Sales etc.). Alternatively, as generating these AI summaries uses AI credits, you may wish to restrict access.

"Conversation Summary" is one of the native AI tools built into Planhat, which saves you time. It enables you to generate a quick summary of a long conversation thread (e.g. an email chain with lots of back-and-forth messages).

The "Planhat AI Conversation Summary" permission controls whether a User with that Role can generate new Conversation Summaries - this action uses AI credits, which are available via a free trial or paid plan.

Without the permission enabled, Users can still view existing Conversation Summaries.

"Conversation Summary" is a super helpful feature that enables you to be more efficient. With this tool, you don't have to spend time reading every single message in a thread to understand the key points.

This feature is useful to everyone communicating with customers/prospects, as well as their managers, so you may want to enable this permission for all Roles. Alternatively, as generating these AI summaries uses AI credits, you may wish to restrict access.

Disabling this permission hides the "Workflows" Global Tool for admins, which is where you configure and manage Workflow Templates.

It does not prevent you from viewing or interacting with Workflows (Projects and Sequences in Pages, the Data Explorer, or Profiles.

You'll want this permission turned on for anyone who will be configuring Workflow Templates for their organization/team - for example, the Administrator Role, and/or the Manager Role.

Remember, you don't need to turn this permission on for Roles representing general Users (e.g. the CSM Role) for them to be able to use Workflows.

There are additional related sets of data model permissions: Workflow and Workflow Template.

This permission controls access to the "NPS" Global Tool for admins - which at time of writing, is currently under construction in upgraded Planhat (ws.planhat.com), so NPS should instead be configured in the original Planhat platform (app.planhat.com).

This permission is for Roles who set up or manage NPS campaigns for their organization, such as the Administrator Role.

This permission enables you to design and manage Custom Profiles/Previews (within the "Data" Global Tool) and Custom Profile Pages ("Object Profile Pages" within the "Content" Global Tool).

Full-Page Profiles and Previews are both ways you can view Company records, and in Planhat you can design a variety of custom layouts (including custom tabs) that automatically apply in different scenarios.

This is an important way you can customize the UI in Planhat, but you likely want to restrict this ability to certain Roles (typically Administrator, and possibly Manager).

As well as this Role-level permission, there are additional tenant-level permissions controlling access to Custom Profile Templates and Pages, which only Planhat staff ("Super Admins") can change, as they are related to your subscription. Reach out to your CSM if you would like to change your organization's access level.

Users with this permission enabled can:

... via the "Libraries" Global Tool.

Libraries are collections (a bit like folders) of related content (Pages and Sections). For example, you could have Libraries based on departments or job roles (such as Sales or Leadership), or topics/processes (e.g. Onboarding or Portals).

As well as organizing content into themes, another purpose of Libraries is to house "verified" (recommended) content.

Only Planhat builders/admins/managers should be creating Libraries, as they are responsible for defining the "official" content within your organization. The Roles corresponding to these Users should have this permission turned on.

The "Library Manager" permission also enables specific Roles to be able to manage all of your tenant's Libraries, regardless of creator. This means you don't need to manually share every Library with a group of Users. Like the ability to create Libraries, you probably wouldn't want general Users in your tenant to have this ability.

We recommend that you enable this permission for your Administrator and Manager Roles.

Note that when this permission is disabled, it does not remove access to the "Libraries" Global Tool itself. Users can still view Libraries there that they have View access to, as well as viewing Library content via the Content Explorer.

When creating or editing a Library, you can see all Users who have the "Library Manager" permission enabled, in the "Library Manager access" section (shown in the second screenshot below); click "Expand list" to see the full details.

"Content" in upgraded Planhat (ws.planhat.com) is custom Pages/Sections - your customer/prospect data displayed and organized in your choice of formats.

Users with the "Promote Content" permission enabled will be able to promote content to other Users' Homes. You can read more about promoting content in our separate article here.

"Promoting" content is great for bringing your teammates' attention to new content. It's a way of sharing your creations with your colleagues.

You may choose to just enable this permission for the Administrator and Manager Roles - if you don't want everyone to be able to display content in other Users' Homes - or you may also enable this for general Users (e.g. CSMs). Developers are unlikely to need this enabled, though.

"Content Manager" is another name for the "Content" Global Tool for admins. "Content" is home to:

(Do not confuse this permission with the separate Content Explorer Manager workflow permission.)

"Content" is an important part of Planhat for people configuring Planhat for their organization - typically Users with the Administrator and potentially Manager Roles. You don't want all Users in your tenant to have access.

Our Technical Support team are a fantastic resource for you, in addition to our self-service Enablement content (such as this Help Center!) and your CSM/TAM.

You can speak with the Support team via live in-app chat: to do this, click on the question mark icon in the top-right of your Planhat tenant to access the Help menu, and select "Chat".

The "Planhat Support Chat" workflow permission controls access to this option - if disabled, "Chat" won't show as an option within the Help menu.

We suggest that you enable this permission for all Roles, although you may disable it for some Roles if you want to limit communication with Planhat to be via certain Users.

"Admin Access" is an important workflow permission that has wide-ranging effects. It controls access to a variety of settings in upgraded Planhat (ws.planhat.com).

"Admin Access" is required to access many aspects of the "Settings" Global Tool:

It does not control access to the following aspects of the "Settings" Global Tool:

This list is not necessarily exhaustive, and "Admin Access" may also affect other features, particularly as additional functionality is added to upgraded Planhat.

The "Admin Access" permission enables you to access a range of functionality that's vital for setting up and customizing your Planhat tenant.

"Admin Access", as the name suggests, is a key permission for Planhat admins/builders with the Administrator Role. It's not recommended to enable it for all Roles (e.g. CSM) - you likely don't want general Users to have this permission turned on, for data security, and to streamline their UI by removing access to parts of Planhat they shouldn't be editing.

The image below shows the "Settings" Global Tool with and without the Admin Access permission enabled (with all other permissions enabled so not restricted separately).

This permission lets you edit other Users' email addresses.

You can edit User email addresses via User Profiles (see screenshots below).

This can be useful, for example, if your organization changes the domain of your email addresses.

The email addresses you're changing to must be unique: if a User already exists on any tenant with a specific email address, then you can't change another email address to that email address - you would have to create the User in the tenant and invite them.

You can only change the email address of Users who have access to only one tenant, not multiple (for security reasons).

This permission enables a Role to see all content (Pages and Sections) in Content Explorer, even if it's not shared with them or created/owned by them.

(Do not confuse this permission with the separate Content Manager workflow permission.)

You'll most likely want to enable this permission for Roles such as Administrator and potentially Manager, who need an overview of and control over your organization's content.