Roles & Permissions

WorkApps apps have four roles: viewer, org_admin_viewer, editor, and admin. The current user's role is returned by sdk.getBootstrap().

Role Capabilities

Action viewer org_admin_viewer editor admin
Read records Yes Yes Yes Yes
Create records No No Yes Yes
Update records No No Yes Yes
Delete records No No Yes Yes
Manage app settings No No No Yes

The org_admin_viewer Role

Org admins and owners have baseline read access to every app in their organization — including apps configured as private or invite_only where they haven't been invited as a member. When an org admin visits such an app, sdk.getBootstrap().role returns 'org_admin_viewer'.

This role:

Handling the new role string

If your app uses a role allowlist, add 'org_admin_viewer' to your read-allow set:

1const ALLOWED_READ_ROLES = ['viewer', 'org_admin_viewer', 'editor', 'admin'];2const ALLOWED_WRITE_ROLES = ['editor', 'admin']; // org_admin_viewer is read-only

Existing apps that treat unknown roles as "read-only, no write UI" will continue to work correctly — the conservative default maps to the correct behavior for this role.

Getting the Current Role

1const bootstrap = await sdk.getBootstrap();2// bootstrap.role — 'viewer' | 'org_admin_viewer' | 'editor' | 'admin'

Role-Based UI

Use the role to show or hide editing controls:

1const bootstrap = await sdk.getBootstrap();2const canEdit = ['editor', 'admin'].includes(bootstrap.role);34if (canEdit) {5  document.getElementById('create-btn').style.display = 'block';6  document.getElementById('edit-btn').style.display = 'block';7}

See Role-Based UI guide for more patterns.

How Roles Are Assigned

Roles are assigned by org admins in the WorkApps dashboard. Your app does not manage role assignment — WorkApps handles it.

Note: Explicit per-user grants always override the app's default access mode.

App Access Modes

Each app has an access mode that determines the default role for org members:

Mode Members can access Org admins always see? Default role for members
Open All org members Yes viewer (explicit grants can elevate)
Open + guests All org members plus guests from allowed domains Yes viewer
Invite-only Only members with an explicit grant Yes — via org_admin_viewer baseline No access without a grant
Private Only members with an explicit grant Yes — via org_admin_viewer baseline No access without a grant

Org admins' baseline visibility is a governance right, not an app-level permission. It cannot be revoked at the app level. To remove an admin's access entirely, remove them from the organization.

Access mode is configured by org admins per-app in the WorkApps dashboard.

Record-level read-only (ErrorCode.ReadOnlyRecord) is separate from app access modes — it applies when a specific record has been marked read-only regardless of the user's role.