As we discuss in our article introducing Roles, restricting access is vital for security and control, as well as improving ease-of-use by streamlining the UI for Users, so each person only sees what's relevant to them.

Roles (which you configure within the "Settings" Global Tool) enable Planhat admins/builders to configure permissions for Users (your colleagues using Planhat).

In this article, we'll focus specifically on the "features" section in the "workflow permissions" tab within Roles. We will deep-dive into a selection of the individual permissions, showing you exactly what features they are referring to. Each of the workflow feature permissions is a single simple toggle switch to enable/disable access. (For information on the "Modules" section of the "workflow permissions" tab, see our separate article here.)

Click the image to view it enlarged

Note that we have listed the permissions below in alphabetical order, rather than the order they appear in the Planhat app.

We don't list every possible permission below; for other workflow feature permissions, you can read a brief description in the Planhat app under the permission, and reach out to the Planhat team if you need further assistance.

You can click the images below to view them enlarged.

"Admin Access" is an important workflow permission that has wide-ranging effects. It controls access to a variety of settings in upgraded Planhat (ws.planhat.com).

"Admin Access" is required to be toggled on for:

This list is not necessarily exhaustive, and "Admin Access" may also affect other features, particularly as additional functionality is added to upgraded Planhat.

The "Admin Access" permission enables you to access a wide range of functionality that's vital for setting up and customizing your Planhat tenant.

"Admin Access", as the name suggests, is a key permission for Planhat admins/builders (such as yourself) with the Administrator Role. You'll also likely want the Manager Role to have "Admin Access" turned on. However, it's not recommended to enable it for all Roles (e.g. CSM) - you likely don't want general Users to have this permission turned on, for data security, and to streamline their UI by removing access to parts of Planhat they shouldn't be editing.

Remember that there are also data model permissions that enable you to be more granular about access if you required. You would give a Role "Admin Access" so e.g. they could access the "Data" Global Tool, and then use the data model permissions to remove access to specific elements such as the ability to configure Health Profiles.

This permission enables you to design and manage Custom Profiles/Previews (within the "Data" Global Tool) and Custom Profile Pages (within the "Content" Global Tool).

Full-Page Profiles and Previews are both ways you can view Company records, and in Planhat you can design a variety of custom layouts (including custom tabs) that automatically apply in different scenarios.

This is an important way you can customize the UI in Planhat, but you likely want to restrict this ability to certain Roles (typically Administrator, and possibly Manager).

As well as this Role-level permission, there are additional tenant-level permissions controlling access to Custom Profile Templates and Pages, which only Planhat staff ("Super Admins") can change, as they are related to your subscription. Reach out to your CSM if you would like to change your organization's access level.

This permission relates to building custom Automations. Automations are a way to automate actions within Planhat, and have the general basic structure of "when x happens, do y". Although we offer a range of customizable Automation templates, in some circumstances you may wish to build a custom Automation, typically with the help of your Planhat Technical Account Manager (TAM).

This specific permission ("Automation Actions - Raw JS Function") controls the ability to use "execute function" (JavaScript) action steps within Automations.

In upgraded Planhat (ws.planhat.com), Automations are located within the "App Center" Global Tool. The screenshots below show where to click to create a custom Automation and select an "execute function" step.

In complex scenarios where sophisticated data transformations are required, you might need to execute a JavaScript function, which takes a series of inputs from a previous step or related model and transforms them, returning an output that can be used in subsequent steps.

These "execute function" steps are for advanced use cases, and are not expected to be required frequently. Please speak with your TAM for help setting them up.

In terms of permissions, it's very unlikely that general Users will need access to this functionality. You may want this turned on for the Administrator and Developer Roles.

Remember that access to Automations more generally is controlled by a set of data model permissions.

"Automation Actions - Raw JS Function" and related workflow permissions enable you to be more granular with your access if required.

Remember that permissions exist on a tenant level as well as a Role level, so if you don't have access to this permission/functionality at all in your tenant, please speak to your CSM or TAM.

This permission relates to building custom Automations. Automations are a way to automate actions within Planhat, and have the general basic structure of "when x happens, do y". Although we offer a range of customizable Automation templates, in some circumstances you may wish to build a custom Automation, typically with the help of your Planhat Technical Account Manager (TAM). In upgraded Planhat (ws.planhat.com), Automations are located within the "App Center" Global Tool.

This specific permission ("Automation Events - Call A Webhook") controls the ability to use "incoming webhook" in the trigger of an Automation, and "call a webhook" in an action step of an Automation. The screenshots below show where you would select these.

Webhooks can be useful to link to external systems. There are various possible use cases. For example, you could create a custom Automation that's triggered by a survey response being submitted in a third party tool (using a webhook in the trigger), and brings that data into Planhat.

In terms of permissions, it's very unlikely that general Users will need access to this advanced Automation functionality. You may want this turned on for the Administrator and Developer Roles.

Remember that access to Automations more generally is controlled by a set of data model permissions.

"Automation Events - Call A Webhook" and related workflow permissions enable you to be more granular with your access if required.

Remember that permissions exist on a tenant level as well as a Role level, so if you don't have access to this permission/functionality at all in your tenant, please speak to your CSM or TAM.

This permission relates to building custom Automations. Automations are a way to automate actions within Planhat, and have the general basic structure of "when x happens, do y". Although we offer a range of customizable Automation templates, in some circumstances you may wish to build a custom Automation, typically with the help of your Planhat Technical Account Manager (TAM).

This specific permission ("Automation Events - Scheduled") controls the ability to schedule an Automation to run on a regular interval (e.g. every Sunday at 10 pm) rather than when a specific data change occurs.

In upgraded Planhat (ws.planhat.com), Automations are located within the "App Center" Global Tool. The screenshots below show where to click to create a custom Automation and configure the Automation to run on a schedule.

The ability to automatically trigger an Automation on a regular schedule (rather than on an ad-hoc basis in response to data changes) can be useful for a variety of scenarios.

In terms of permissions, it's unlikely that general Users will need access to the functionality to set up scheduled custom Automations. Automations can make widespread data changes (e.g. updating a lot of records at once), so it's recommended that only limited Roles have access.

Remember that access to Automations more generally is controlled by a set of data model permissions.

"Automation Events - Scheduled" and related workflow permissions enable you to be more granular with your access if required.

Remember that permissions exist on a tenant level as well as a Role level, so if you don't have access to this permission/functionality at all in your tenant, please speak to your CSM or TAM.

This permission controls whether Users with that Role can sync their Google or Outlook Calendar to Planhat.

When this permission is enabled, Users can see the "Calendar" tab within their own User Profile, and click to enable the calendar sync.

Like emails, it's important that calendars are synced with Planhat for customer-facing Roles, so their customer contact is visible and recorded in Planhat. You may choose to enable this permission for all Roles.

"Content Manager" is another name for the "Content" Global Tool for admins. "Content" is home to:

"Content" is an important part of Planhat for people configuring Planhat for their organization - typically Users with the Administrator and potentially Manager Roles. You don't want all Users in your tenant to have access.

This permission controls access to the Integrations for Snowflake and BigQuery.

In upgraded Planhat (ws.planhat.com), Integrations are located within the "App Center" Global Tool.

You need the "Data Warehouse Integrations" permission enabled to view Snowflake and/or BigQuery in the main apps list (after adding them via the "+ New app" button).

With both the Snowflake and BigQuery Integrations, you can sync CRM data bidirectionally, and time-series usage data into Planhat.

It's unlikely that your general Users will need access to set up these integrations; configuring them will likely be a task for your CS Ops (e.g. with the Administrator Role) or Tech Ops (e.g. with the Developer Role).

Dashboard and Presentation Pages are great ways for you to visualize, analyze and present your data.

For these Page types, you can share insights and collaborate with colleagues by sharing them via email. Pages can be sent as a one-off, or scheduled to send on a recurring basis. The Page is sent as a PDF attachment, and can be shared with one or multiple team members.

Sharing Pages via email enables you to provide updates to the team on different metrics and insights, increasing visibility and alignment. For example, this feature could be used for updating your senior leadership every Friday evening on key customer data.

You may want to enable this feature for all Roles, or if you prefer you can only give access to Managers/Administrators.

This permission enables Users to send emails from "dynamic senders" (where a Team Member field is specified, and the relevant actual User name is filled in depending on the recipient), such as "Account Owner" or "Account CoOwner".

The "Email From Dynamic Sender" permission controls the ability to send emails from the "Account Owner" (Company Owner) or similar rather than from yourself. An example use case is for Managers to be able to send emails from their CSMs' email accounts if they are away from work.

This permission has some similarities to the "Email on my behalf" permission described below, as it related to multiple Planhat Users being able to email from an email address. Here though you are giving permission to a User to use other people's addresses based on their relationship to the Company; whereas in the other permission, a User can allow other people to choose to email from their name / email address.

Note that even Users without the "Email From Dynamic Sender" permission will still be able to send emails from another User's email address if the other User has "Public account usage" toggled on (described below for the "Email On My Behalf" permission).

This permission enables Users (you and your colleagues) to make their email address available as a "send from" option that their team members can select.

The Role permission itself doesn't automatically enable a User's email address to be available for others to send from, but it enables this feature to be turned on. Users with this Role permission will see the "Public account usage" toggle switch in the "Email" tab in their User Profile (shown in the screenshot below). They can then choose to turn this on, if they want to make their email address available as a "send from" option.

This is particularly relevant for shared accounts such as support@yourcompany.com.

You may choose to disable this permission for some Roles, to restrict the ability of your team members to email from each other's email addresses.

"Rules" is a feature within the "Data" Global Tool for admins.

Each Rule is configured on a specific data model (e.g. Company, or Opportunity, etc.), and either locks the data in your chosen fields, or makes it mandatory (required) to have data in them.

You choose whether each Rule applies to just Users, or also other "actors" (such as Automations). You can optionally set conditions (either based on fields or User properties) to define when the Rule is enforced. You can even write your own custom message to display in Planhat when a User encounters locked or mandatory fields.

Field Rules are a useful tool when it comes to field and data management, as they help avoid missing data or accidental data changes.

As they are automatically applied and affect other Users, you only want fairly senior people with experience in this feature to have access - e.g. the Administrator Role, and possibly the Manager Role.

The "Import" workflow permission controls the ability to upload data (create/update multiple records - e.g. a list of Companies) via a spreadsheet, which you can do via the "Import" tool within the central Federated Search bar (screenshots below).

Note that even with this permission disabled, you're still able to add individual records (e.g. one Company at a time) via the create forms (e.g. also in the Federated Search - see the "Add new" options in the second screenshot below) or via the Data Explorer.

Note that data model permissions still apply - so you'll need the appropriate permissions for the data models of the records you're importing.

Integrations are built-in tools you can use to link Planhat to external software (e.g. Salesforce, HubSpot, Intercom, Zendesk, Jira, Snowflake, and many more) and sync data between them.

In upgraded Planhat, Integrations are part of the "App Center" Global Tool for admins. If this permission is disabled for a Role, its Users can't see/access the "Integrations" section (pictured below).

Integrations are a vital part of compiling data into Planhat, your central source of truth for all customer/prospect data - and for syncing data insights out from Planhat too.

Only a limited set of Users (and therefore Roles) will need to actually set up and manage integrations. For example, this may be your Administrator and Developer Roles.

Users with this permission enabled can:

... via the "Libraries" Global Tool.

Libraries are collections (a bit like folders) of related content (Pages and Sections). For example, you could have Libraries based on departments or job roles (such as Sales or Leadership), or topics/processes (e.g. Onboarding or Portals).

As well as organizing content into themes, another purpose of Libraries is to house "verified" (recommended) content.

Only Planhat builders/admins/managers should be creating Libraries, as they are responsible for defining the "official" content within your organization. The Roles corresponding to these Users should have this permission turned on.

The "Library Manager" permission also enables specific Roles to be able to manage all of your tenant's Libraries, regardless of creator. This means you don't need to manually share every Library with a group of Users. Like the ability to create Libraries, you probably wouldn't want general Users in your tenant to have this ability.

We recommend that you enable this permission for your Administrator and Manager Roles.

Note that when this permission is disabled, it does not remove access to the "Libraries" Global Tool itself. Users can still view Libraries there that they have View access to, as well as viewing Library content via the Content Explorer.

When creating or editing a Library, you can see all Users who have the "Library Manager" permission enabled, in the "Library Manager access" section (shown in the second screenshot below); click "Expand list" to see the full details.

Logs can help you track and understand what's happening in your Planhat tenant - e.g. when a particular End User was created and by whom.

There are a couple of places you can view logs within Planhat:

Using logs, you can look up the history of data changes within your Planhat tenant, resolving questions such as 'When did this change take place and why?'

You may choose to restrict this access to your team members who are more technical, such as Administrators and Developers.

With this permission disabled, you'll still be able to open the Logs Explorer from the Federated Search bar or click to view logs for an individual record - it's just that the logs themselves won't display, instead giving you the message "No logs found".

You'll also need the "View" data model permissions for the relevant models to view logs.

This permission lets you edit other Users' email addresses.

You can edit User email addresses via User Profiles (see screenshots below).

This can be useful, for example, if your organization changes the domain of your email addresses.

The email addresses you're changing to must be unique: if a User already exists on any tenant with a specific email address, then you can't change another email address to that email address - you would have to create the User in the tenant and invite them.

You can only change the email address of Users who have access to only one tenant, not multiple (for security reasons).

This permission enables you to contact End Users via email (and Intercom chat messages) from Planhat.

This permission should be enabled for any Role where Users need to contact customers/prospects, so they can do so from within Planhat. Your CSM team will need this enabled; but Developers, for example, can have this turned off if they won't be reaching out to your customers.

"Conversation Summary" is one of the native AI tools built into Planhat, which saves you time. It enables you to generate a quick summary of a long conversation thread (e.g. an email chain with lots of back-and-forth messages).

The "Planhat AI Conversation Summary" permission controls whether a User with that Role can generate new Conversation Summaries - this action uses AI credits, which are available via a free trial or paid plan.

Without the permission enabled, Users can still view existing Conversation Summaries.

"Conversation Summary" is a super helpful feature that enables you to be more efficient. With this tool, you don't have to spend time reading every single message in a thread to understand the key points.

This feature is useful to everyone communicating with customers/prospects, as well as their managers, so you may want to enable this permission for all Roles. Alternatively, as generating these AI summaries uses AI credits, you may wish to restrict access.

The Planhat Support team is amazing! They're there to help you quickly when you have any technical product questions. The best way to reach them, for the fastest response, is via the in-app chat.

We recommend that you enable this permission for all Roles, so your Users can open the chat from your Planhat tenant. If this permission is disabled, Users with that Role will not see the "Chat" option to click on within Planhat.

"Content" in upgraded Planhat (ws.planhat.com) is custom Pages/Sections - your customer/prospect data displayed and organized in your choice of formats.

Users with the "Promote Content" permission enabled will be able to promote content to other Users' Homes. You can read more about promoting content in our separate article here.

"Promoting" content is great for bringing your teammates' attention to new content. It's a way of sharing your creations with your colleagues.

You may choose to just enable this permission for the Administrator and Manager Roles - if you don't want everyone to be able to display content in other Users' Homes - or you may also enable this for general Users (e.g. CSMs). Developers are unlikely to need this enabled, though.

Forecasting is an important part of customer management in SaaS. Your team members managing Companies (accounts) should enter the predicted upcoming revenue into Planhat.

The "Renewals" System Report Page is where this forecasting is typically carried out, and this workflow permission is required to access the forecast columns (including "Pessimistic" and "Optimistic" if enabled) within this report.

In Roles for your Users who manage customers (typically the CSM Role), it's important that they have the ability to input forecasts in this way. You'll also likely to want the Manager and Administrator Roles to have this permission turned on too.

You can configure whether the "Pessimistic" and "Optimistic" forecasts are shown in your tenant, in addition to the standard/main forecast, within the "Revenue Setup" section in the "Settings" Global Tool.

With this permission, you can control who can see the "Unassigned" tab in the Email Manager. The Unassigned tab is home to all the emails in your Planhat tenant that haven't been automatically assigned to a Company; here you can manually assign them.

In Planhat, emails (as with other Conversations) are linked to one Company. While most of the time, it's easy for Planhat to identify which Company to associate the email with, in some cases it's less obvious.

You'll want some Planhat Users to review the "Unassigned" tab so they can manually assign any emails that couldn't be assigned automatically, but as this shows all unassigned emails (regardless of involved End Users / Companies - i.e. it's not portfolio-based), you might not want every User to have access.