As we discuss in our article introducing Roles, restricting access is vital for security and control, as well as improving ease-of-use by streamlining the UI for Users, so each person only sees what's relevant to them.

Roles (which you configure within the "Settings" Global Tool) enable Planhat admins/builders to configure permissions for Users (your colleagues using Planhat).

In this article, we'll focus specifically on the "data model permissions" tab within Roles.

Click the image to view it enlarged

So what is included within "data model permissions"? What do these permissions do? We'll go through details of specific permissions within this article, but firstly we'll summarize the basic principles.

You are likely to be familiar with the main data models (similar to "objects" in some other tools) - Company, End User, License, Opportunity, Issue, Conversation, Asset, and so on. In "data model permissions", you can set really granular access levels for each of these models (whether the Role can create/view/update/remove/export records), as well as controlling access to their fields.

Click the image to view it enlarged

However, in addition to this, it's important to note that you'll see some other elements/features (internal models) listed within the "data model permissions", such as Pages, Sections and Snippets.

Click the image to view it enlarged

Remember that this is only one category of permissions in Roles - so if you're looking for a permission for a feature and you can't find it here, check if it's in another part of Roles (likely "workflow permissions - features" - we have a separate article about these here).

Setting these permissions - so different Roles have access to different elements within Planhat ...

Having really granular permissions (with separate control for each "action", right down to the field) per model is really powerful - you can define, for example, that a User assigned a specific Role can view Invoices but not export them, or create them but not remove them. This is much more flexible than having one single "all or nothing" permission per model.

For each data model listed in the permissions, you use the checkboxes to define what Users (you and your colleagues) with the Role can do in Planhat - you'll be able to choose from some or all of: "Create" (add), "View", "Update" (edit), "Remove" (delete) and "Export". For example, for the Company model, this determines whether you can create Company records (i.e. Companies, such as Intercom or Nissan etc.), and so on.

Under many of the models, you'll see "x Properties" - click on the row to expand this out. For standard data models, these properties are its fields - e.g. Company Address and Company ARR.

Note that the parent model permissions affect the related property/field permissions - for example, if you disable the ability to view the Campaign model, it will also disable the ability to view Campaign fields.

Next in this article, we are going to deep-dive into a selection of the less obvious data model permissions, showing you exactly what features they are referring to, so you can understand the effects of these permissions.

You can click the images below to view them enlarged.

This permission controls the ability to edit and create labels (tags) that you can apply to logged activities (Conversations - e.g. Intercom chats and emails) and planned activities (Tasks). Example activity tags are "Bug", "Upsell potential" and "Important".

Tags are great for organization. You can filter on these tags when you're looking at a Company or End User Profile, and even refer to them in Formula Fields.

To ensure consistency in tagging - e.g. so you don't end up with loads of possible labels/tags, or different variations in spelling - we suggest that this permission is enabled for your Administrator and Manager Roles, but not all your "standard" Users.

Automations are a way that you can automatically act on data in Planhat, configuring processes with the general structure of "when this data change occurs, do that".

The "Automation" set of data model permissions enables you to control which Role(s) in your Planhat tenant can do what related to Automation setup.

The "App Center" is where you can create and manage your Automations in upgraded Planhat (ws.planhat.com) - both templated and custom - as well as Integrations.

It's important for some Roles to have access to configure Automations, because they are a key way you can enhance your productivity using Planhat - for example, you might have all the permissions enabled for the Administrator, Manager and potentially Developer Roles.

However, it's recommended to restrict permissions for other Users. Automations are super powerful and can quickly make widespread changes to your customer data, so you don't want everyone to have access to this in case they trigger unwanted updates.

The main "View" permission controls whether Users with the Role can see Automations within the App Center - both Automations you have created, and Automation Templates.

Using these permissions, you can turn on/off the comments that you'll see throughout Planhat, such as on planned activities (Tasks) and logged activities (Conversations), Company Profiles, and various other places in Planhat.

Adding comments can be really useful for collaboration, so we suggest you leave this set of permissions enabled for all Roles, especially "View" and "Create". Generally it's fine for everyone to be able to edit/delete comments too.

Both of these sets of permissions relate to Connections, which are part of the "App Center" (together with Integrations and Automations) - see screenshot below.

"Connections" are how you can connect your Planhat tenant to your AI provider (OpenAI, Microsoft Azure OpenAI Service, or Google PaLM 2). You can also configure custom connections.

Generally, only Roles such as Administrator and/or Developer would be involved in setting up connections; general Users shouldn't need access.

For both ConnectionConfig and ConnectionData, the "View" permission is required to show Connections in the App Center.

These permissions relate to the ability to create/delete/update custom fields in the "Data" Global Tool.

You'll want your Administrator Role and likely your Manager Role to be able to manage custom fields in this way, but it's recommended that your standard Users don't have access to create new custom fields (to keep things tidy) or delete fields (for security).

This set of permissions enables Users to create, edit and organize email templates.

Email templates are a great way for you to save time and ensure consistency throughout your team. You may want to restrict the ability to manage email templates, so your Administrators and Managers are in control.

Even if these permissions are disabled, Users will still be able to apply existing email templates to new emails.

Use these permissions to control access to "Health" within the "Data" Global Tool (under the Company model), which is where you can configure Health Profiles - the sets of rules that calculate and apply Health Scores.

With this set of permissions, you can configure whether each Role can create a new Health Profile, or update the conditions of an existing one, and so on. You'll want all these permissions enabled for Administrator and potentially Manager Roles, but not for all Roles.

These permissions are related to Pages - both Pages in Sections, and Custom Profile Pages.

With these permissions, you can limit the ability of some Roles to perform actions such as creating and deleting Pages.

It's important to note that Pages are a fundamental building block in upgraded Planhat (ws.planhat.com), with much wider functionality than original Planhat (app.planhat.com).

Access to Company Profile Templates and Custom Profile Pages is also affected separate tenant settings.

"PhSection" is a really important permission for upgraded Planhat (ws.planhat.com).

Sections are a key concept in upgraded Planhat. Both within your personal Home and within Libraries, Pages are organized in Sections, which group Pages by themes, such as Customer Success EMEA. Sections can be either public (where multiple Users can have access) or private (just for you).

It's an important part of using upgraded Planhat to be able to create/edit/delete Sections, even if only private Sections for yourself (plus collaborating and sharing content is also important), so we strongly recommend that you enable all the PhSection permissions for al your Roles.

Without the "View" permission, Users with that Role won't even be able to access upgraded Planhat - they'll see the message "You don't have access to the new interface yet - please contact your admin."

Similar to "PhSection", discussed above, "PhWorkspace" is an important permission for upgraded Planhat (ws.planhat.com).

PhWorkspace mainly relates to Libraries in Planhat, which are how you can organize Sections into categories (e.g. Sales Resources) and verify content. You can learn more about creating and managing Libraries here.

Roles must have at least the "View" permission for "PhWorkspace" to be able to access upgraded Planhat (ws.planhat.com) - without it, Users with that Role will see the same message as shown above for PhSection - "You don't have access to the new interface yet - please contact your admin."

In terms of the other permissions, they determine whether Users with that Role can create/update/delete Libraries. As Libraries are designed to be verified content curated by Planhat admins/builders (e.g. CS Ops), you probably don't want to give all your Roles these permissions.

These permissions define access to Service Accounts, which are used to create API access tokens. Note that in upgraded Planhat (ws.planhat.com), Service Accounts have been renamed "Private Apps", and can be found within the "App Center" Global Tool.

API access tokens can be used to access your Planhat data-model data over the API - for example, to create, update or delete Companies. We recommend that you disable the "ServiceAccount" permissions for Roles such as CSM or Sales, and leave them on for Administrator and Developer.

Snippets are pieces of templated text that you can use in Tasks and Conversations to save time. In upgraded Planhat (ws.planhat.com), Snippets are configured within the "Settings" Global Tool. Then, when typing in a Description, you use the # symbol to bring up the Snippets to select from.

With these permissions, you can determine who has access to creating and deleting Snippets, and other Snippet-related actions. It can be useful to restrict access to ensure your Snippets library stays tidy.

Make sure you enable at least the "View" permission for your standard Users (e.g. CSMs), so that they can apply existing Snippets.

If this permission is enabled, you will be able to access the "StatesLogs" model when building charts in Dashboard and Presentation Pages.

StatesLog stores changes to list fields, and is particularly used to track/visualize the number of days a Company spends in each phase.

This set of permissions is related to the "Teams" section of the "Settings" Global Tool.

Teams can be used to define portfolio access in Roles (we will release an article on portfolio access in future), as well as being a way to filter Companies (see example below). Via the "Team" permissions, you can control whether a Role can do things like add Users to existing Teams, or create new Teams - so you may want to limit these permissions for some Roles.

Note that the "View" permission is required to be able to filter on Teams, as well as to see the Teams in Settings.

User is the Planhat model for you and your colleagues (i.e. Planhat Users within your tenant).

In upgraded Planhat (ws.planhat.com), you manage Users within the "Settings" Global Tool.

These permissions enable you to manage the Users of your tenant - adding and activating new Users, etc.

You'll want these permissions enabled for your Administrator and potentially Manager Roles, but you should limit permissions for other Roles.

These permissions refer to the Roles within the "Settings" Global Tool - what we're discussing setting permissions for right now! Roles with the "UserRole" set of permissions can create and edit Roles.

Configure the "UserRole" permissions to determine whether a Role can view, update or create Roles etc. You'll want these permissions enabled for your Administrator and potentially Manager Roles, but you should limit permissions for other Roles.

Like you just saw for User (above), be careful with the permissions for "UserRole", for data security. We recommend that you restrict access for non-Administrator Roles.

Workflows, formerly called Playbooks, are an easy - yet sophisticated - way to automate a series of actions - tasks and/or email steps. The two main types of Workflow are Projects and Sequences.

In upgraded Planhat (ws.planhat.com), Workflow Templates are configured in the "Workflows" Global Tool (shown in the screenshot below).

Workflows are an important part of customer/prospect management.

Without the "View" Workflow permission, you won't be able to see/access the "Workflows" Global Tool, or add a Workflow 360 Page, or view Workflows on Company Profiles, so generally, you'll want this enabled for all Roles - although Developers don't necessarily need this ability.

See below for how Workflow Template permissions also affect access.

These permissions control whether Workflow Templates (shown in the above Workflows screenshot) can be created etc.

A Workflow Template is a templated process, defining what actions (tasks and emails) should happen and when. Once designed, you activate your Workflow Template so it can be applied to specific Companies or End Users.

This set of permissions is for Administrators and Managers designing Workflows.

The "WorkspaceTemplate" permissions (not to be confused with WorkflowTemplate above) relate to the Home Templates feature. Home Templates (which you configure within the "Content Manager" Global Tool are the way a Planhat admin (such as you) can pin Sections to the Homes of specific groups of Users, recommend Sections at their first Home set-up, and/or recommend Pages.

(WorkspaceTemplate permissions also control access to Portal Templates, where they are available in tenants - currently this feature is still under construction.)

Home Templates enable Planhat admins to carry out a form of top-down personalization, guiding the general Users within the tenant.

It's recommended that only the Administrator and potentially Manager Roles have the "WorkspaceTemplate" permissions turned on, so not everyone can create/edit/delete Home Templates.