Team Permissions & Roles | Access Control Guide

Configure GitScrum RBAC: Org Admin, Project Admin, Member, Guest. Set contractor access with expiration. Integrate with SSO for automated provisioning.

6 min read

Permissions that are too restrictive slow work down. Permissions that are too open create security and governance risks. GitScrum's role-based access control lets you configure the right level of access for each team member, balancing productivity with control.

Permission Challenges

Too Restrictive	Too Open
Constant access requests	Accidental changes
Slowed decision making	Sensitive data exposure
Frustrated team	Audit failures
Workarounds emerge	No accountability

Role Hierarchy

Standard Roles

GITSCRUM ROLE HIERARCHY
═══════════════════════

ORGANIZATION ADMIN
├── Full organization control
├── Billing and subscription
├── User management
├── All project access
└── Settings and integrations

PROJECT ADMIN
├── Full project control
├── Member management (project)
├── Project settings
├── No org-level access
└── Cannot delete org

MEMBER
├── Create and edit tasks
├── View all project data
├── Comment and collaborate
├── Limited settings access
└── Cannot manage members

GUEST
├── View-only by default
├── Limited to specific projects
├── Comment (if enabled)
├── Time-limited access
└── No settings access

CLIENT
├── View project progress
├── Approve deliverables
├── Comment on tasks
├── No internal discussions
└── Filtered view

Permission Matrix

PERMISSION MATRIX
═════════════════

Action                  │ Admin │ P-Admin │ Member │ Guest │ Client
────────────────────────┼───────┼─────────┼────────┼───────┼────────
Create tasks            │   ✓   │    ✓    │   ✓    │   ✗   │   ✗
Edit own tasks          │   ✓   │    ✓    │   ✓    │   ✗   │   ✗
Edit any task           │   ✓   │    ✓    │   ✗    │   ✗   │   ✗
Delete tasks            │   ✓   │    ✓    │   ✗    │   ✗   │   ✗
View all tasks          │   ✓   │    ✓    │   ✓    │   △   │   △
Comment                 │   ✓   │    ✓    │   ✓    │   △   │   ✓
Manage members          │   ✓   │    ✓    │   ✗    │   ✗   │   ✗
Change project settings │   ✓   │    ✓    │   ✗    │   ✗   │   ✗
Access billing          │   ✓   │    ✗    │   ✗    │   ✗   │   ✗
Manage integrations     │   ✓   │    ✓    │   ✗    │   ✗   │   ✗
Export data             │   ✓   │    ✓    │   ✗    │   ✗   │   ✗

✓ = Allowed  ✗ = Denied  △ = Configurable

Role Configuration

Creating Custom Roles

CUSTOM ROLE SETUP
═════════════════

EXAMPLE: "Developer" Role

Name: Developer
Description: Standard development team member

TASK PERMISSIONS:
├── ✓ Create tasks
├── ✓ Edit own tasks
├── ✓ Edit any task (in assigned projects)
├── ✗ Delete tasks
├── ✓ Change task status
└── ✓ Add time entries

BOARD PERMISSIONS:
├── ✓ View all boards
├── ✗ Create boards
├── ✗ Edit board settings
└── ✓ Use filters

PROJECT PERMISSIONS:
├── ✓ View project settings
├── ✗ Edit project settings
├── ✗ Manage project members
└── ✗ Access sensitive data

REPORTING:
├── ✓ View team reports
├── ✗ Export data
├── ✓ View own time reports
└── ✗ View salary data

Contractor/External Role

CONTRACTOR ROLE CONFIG
══════════════════════

Name: Contractor
Description: External contributor with limited access

ACCESS SCOPE:
├── Projects: Only assigned projects
├── Duration: Expires on [date]
├── Hours: Time tracking required
└── Visibility: Public tasks only

PERMISSIONS:
├── ✓ View assigned tasks
├── ✓ Edit assigned tasks
├── ✓ Add time entries
├── ✓ Comment on tasks
├── ✗ View all project tasks
├── ✗ Access other projects
├── ✗ Export any data
├── ✗ Access internal discussions
└── ✗ Invite others

AUTO-ACTIONS:
├── Notify admin 7 days before expiry
├── Remove access on expiry date
├── Archive contractor's activity log
└── Reassign open tasks

Team Structure

Project Teams

PROJECT TEAM CONFIGURATION
══════════════════════════

Project: Website Redesign

TEAM MEMBERS:
┌────────────────────────────────────────────────┐
│  Name              │ Role         │ Access     │
├────────────────────────────────────────────────┤
│  Sarah Chen        │ Project Admin│ Full       │
│  Mike Johnson      │ Developer    │ Standard   │
│  Lisa Park         │ Developer    │ Standard   │
│  Tom Wilson        │ Designer     │ Standard   │
│  Jane Doe          │ Contractor   │ Limited    │
│  John Client       │ Client       │ View Only  │
└────────────────────────────────────────────────┘

TEAM PERMISSIONS:
├── All members see project board
├── Only admins manage settings
├── Client sees filtered view
├── Contractor access expires Apr 1
└── Notifications: All members

Cross-Project Access

MULTI-PROJECT ACCESS
════════════════════

User: Mike Johnson

PROJECT ACCESS:
├── Website Redesign    → Developer (active)
├── Mobile App v2       → Developer (active)
├── Infrastructure      → Guest (read-only)
├── Sales Pipeline      → None
└── HR Project          → None

ORGANIZATION ROLE: Member
├── Can join public projects
├── Can request project access
├── Cannot create projects
└── Cannot access billing

Best Practices

For Permission Setup

Least privilege — Start minimal, add as needed

Role-based — Assign roles, not individual permissions

Regular audits — Review access quarterly

Document rationale — Why each role exists

Automate off-boarding — Remove access promptly

Common Configurations

CONFIGURATION EXAMPLES
══════════════════════

STARTUP (5-10 people):
├── 1-2 Org Admins
├── All others: Members
├── Minimal role separation
└── Trust-based model

AGENCY (10-50 people):
├── 2-3 Org Admins
├── Project Admins per client
├── Developers: Member role
├── Contractors: Limited role
└── Clients: Client role

ENTERPRISE (50+ people):
├── Dedicated Admins
├── Tiered project access
├── SSO integration
├── Audit logging
├── Compliance roles
└── Automated provisioning

Anti-Patterns

PERMISSION MISTAKES:
✗ Everyone is admin
✗ No role documentation
✗ Manual access management
✗ Stale contractor access
✗ No regular audits
✗ Overly complex roles
✗ Ignoring least privilege