Planhat is incredibly powerful, with a wide variety of features; and also your Planhat tenant is home to a large amount of data, with all your customer data compiled in one place. So that Planhat isn't overwhelming for individual Users, and to enable security and control, you (as a Planhat admin) use "Roles" to configure access levels (set permissions) for groups of Users, streamlining what they see in the UI.

"Roles" are typically based on job role, such as Administrator, Manager, CSM and Developer. They are a similar concept to profiles or permission sets in other tools. In upgraded Planhat (ws.planhat.com), you configure Roles within the "Settings" Global Tool. See here for more general information about Roles.

The main groups of permissions within Roles are data model permissions and workflow permissions (for features and Modules), which are tabs within Roles (shown to the right-hand side of the screenshot below).

In this article, we will focus specifically on the "Portfolio permission" section at the top of each Role (shown in the screenshot below). Portfolio permissions define which Companies (customers/prospects) Users with that Role can see (e.g. in the Data Explorer). This means you can restrict access for data security, while ensuring each Planhat User sees the Company data they need. For example, you might want a CSM to only see the Companies that they manage. Or you might want a Manager to view the Companies managed by their team.

"Portfolio permission" is a dropdown menu within each Role, where you can choose from 4 options:

We describe each of these in more detail below.

You can click on the images throughout this article to view them enlarged.

This is the most restrictive portfolio permission.

It means that (e.g. in the Data Explorer) you only see the Companies where you are either the Owner or the Co-Owner. "Owner" and "Co-Owner" are standard (default/system) team member type fields on the Company model.

For data security reasons, or so their view isn't cluttered with irrelevant data, you may want Users with the "CSM" Role to only have access to the Companies that they manage.

"Full Access" means that Users with that Role will have access to every Company in your Planhat tenant.

This is typically selected for the "Administrator" Role, as Planhat admins will need to see all data. You might also want to give Full Access to the "Manager" Role.

"Team Access" is a portfolio permission aimed at managers.

It uses the "Team" feature, which you can configure in the "Settings" Global Tool. "Teams" allow you to group your choice of Users based on job role (e.g. CSM team) or location (e.g. Australia team), etc. Once created, you can then apply the Team as a filter throughout Planhat, as well as using the Team within portfolio permissions as discussed here.

"Team Access" gives you access to Companies managed by your teammates within the Team (i.e. Companies where they are Owner or Co-Owner, in addition to Companies where you are the Owner or Co-Owner), but only if you are selected as a "Manager" within that Team.

The screenshot below shows you where to configure Teams, and shows a Manager specified within the Team. (Note that this is set within the Team itself, by hovering over a name and selecting "Promote to manager"; it's independent of a User being assigned a "Manager" Role.)

A typical use case would be the manager of the Enterprise CSM team needing to see the entire Enterprise portfolio managed by their team, but not other Companies managed by other CSM teams.

"Team Access" is typically applied to the "Manager" Role.

This portfolio permissions option enables you to configure your own choice of Company filter to apply to a Role. This gives you more flexibility, as it enables you to specify/limit Companies based on properties other than who is the Company Owner or Co-Owner.

You can specify different filters within different Roles.

For example, if you have a Renewals team working specifically on renewals (but those Companies are managed by a separate CSM team), you could create a filter of "Phase is equal to Renewal" for a custom "Renewals" Role.

You can include multiple conditions if desired, such as "Company Tier is SMB and Region is Americas".

If you've given a Role "Full Access" for its portfolio permission, that's it! You can move on to setting the data model permissions in the Role.

However, if you've assigned any of the other options, another setting will display underneath the "Portfolio permission": "Extended Groups". This is a toggle switch, as shown in the screenshot below.

This setting is related to Company group structures: parent and child Companies (e.g. you might have Coca-Cola Global as a parent Company, with Coca-Cola Germany and Coca-Cola Spain as child Companies).

If the "Extended Groups" permission is enabled, it extends the Role's access so its Users can see all Companies in the group structure, if the Planhat User has access to at least one Company. This can be useful for situations where a different User is the Owner of the parent than the child.