Roles & Permissions
WorkApps apps have four roles: viewer, org_admin_viewer, editor, and admin. The current user's role is returned by sdk.getBootstrap().
Role Capabilities
| Action | viewer | org_admin_viewer | editor | admin |
|---|---|---|---|---|
| Read records | Yes | Yes | Yes | Yes |
| Create records | No | No | Yes | Yes |
| Update records | No | No | Yes | Yes |
| Delete records | No | No | Yes | Yes |
| Manage app settings | No | No | No | Yes |
The org_admin_viewer Role
Org admins and owners have baseline read access to every app in their organization — including apps configured as private or invite_only where they haven't been invited as a member. When an org admin visits such an app, sdk.getBootstrap().role returns 'org_admin_viewer'.
This role:
- Has the same permissions as
viewer(read-only) - Signals that the user is seeing the app via baseline admin visibility, not via per-app membership
- Does NOT grant write access — to make changes, the admin must start an "Admin Edit Mode" session with a typed reason (see Admin Overrides)
Handling the new role string
If your app uses a role allowlist, add 'org_admin_viewer' to your read-allow set:
1const ALLOWED_READ_ROLES = ['viewer', 'org_admin_viewer', 'editor', 'admin'];2const ALLOWED_WRITE_ROLES = ['editor', 'admin']; // org_admin_viewer is read-only
Existing apps that treat unknown roles as "read-only, no write UI" will continue to work correctly — the conservative default maps to the correct behavior for this role.
Getting the Current Role
1const bootstrap = await sdk.getBootstrap();2// bootstrap.role — 'viewer' | 'org_admin_viewer' | 'editor' | 'admin'
Role-Based UI
Use the role to show or hide editing controls:
1const bootstrap = await sdk.getBootstrap();2const canEdit = ['editor', 'admin'].includes(bootstrap.role);34if (canEdit) {5 document.getElementById('create-btn').style.display = 'block';6 document.getElementById('edit-btn').style.display = 'block';7}
See Role-Based UI guide for more patterns.
How Roles Are Assigned
Roles are assigned by org admins in the WorkApps dashboard. Your app does not manage role assignment — WorkApps handles it.
Note: Explicit per-user grants always override the app's default access mode.
App Access Modes
Each app has an access mode that determines the default role for org members:
| Mode | Members can access | Org admins always see? | Default role for members |
|---|---|---|---|
| Open | All org members | Yes | viewer (explicit grants can elevate) |
| Open + guests | All org members plus guests from allowed domains | Yes | viewer |
| Invite-only | Only members with an explicit grant | Yes — via org_admin_viewer baseline |
No access without a grant |
| Private | Only members with an explicit grant | Yes — via org_admin_viewer baseline |
No access without a grant |
Org admins' baseline visibility is a governance right, not an app-level permission. It cannot be revoked at the app level. To remove an admin's access entirely, remove them from the organization.
Access mode is configured by org admins per-app in the WorkApps dashboard.
Record-level read-only (
ErrorCode.ReadOnlyRecord) is separate from app access modes — it applies when a specific record has been marked read-only regardless of the user's role.