Access control lets you grant each member only the access they need. Instead of a single level of access, you decide which actions every member can perform, following the principle of least privilege to keep sensitive data and settings protected.
How access control works
Access in Conversion is built from two concepts:
| Concept | What it is |
|---|
| Permission | A single action that can be performed, such as creating a blast or editing a form. |
| Role | A named collection of permissions that you assign to members. |
You can grant access at three levels:
| Level | How access is granted |
|---|
| Member | Each member is assigned a role that determines what they can do. |
| Team | Members grouped into a team are granted permissions directly, which all members of the team inherit. |
| API key | Programmatic access is granted a set of permissions, limiting what each key can do. |
Only administrators can manage access — creating roles and teams, assigning roles, and managing API keys. See Members for how to manage who belongs to your workspace.
Roles
Every member is assigned a role. Conversion provides four predefined roles, and you can define your own to grant exactly the access you intend.
| Role | Access |
|---|
| Administrator | All permissions, including administrative settings such as members, teams, authentication, and integrations. |
| Manager | All non-administrative permissions, including the ability to publish, activate, and send — for example, sending blasts and activating workflows. |
| Editor | Create, edit, and delete content, but cannot publish, activate, or send. For example, an editor can build a blast or a workflow but cannot send the blast or activate the workflow. |
| Viewer | View-only access across the workspace. |
| Custom | A role you define yourself, granting exactly the permissions you choose. |
Publishing, activating, and sending are the high-impact actions that make work go live — sending a blast, activating a workflow, or publishing a form. Reserving them for managers and administrators lets editors build and refine content safely without pushing it to your audience.
Permissions
Permissions are grouped by the area of the product they apply to. Each permission grants a single action, so you can build a custom role that allows exactly what you intend.
Administration permissions control sensitive settings such as inviting members, configuring identity and access, and managing integrations. Grant them only to members who need to manage the workspace itself.
Administration
| Permission | Description |
|---|
| Manage members | Invite, edit, and remove members, and assign their roles. |
| Manage teams | Create and edit teams and assign their roles. |
| Manage authentication | Configure SSO, SCIM, and other authentication settings. |
| Manage integrations | Connect and remove integrations such as Slack. |
| Manage email settings | Connect domains and edit communication limits and other email settings. |
| Manage CRM sync | Connect a CRM and edit rate limits and sync rules. |
| Manage data warehouse integrations | Connect and remove data warehouse integrations. |
| Manage data warehouse syncs | Configure and run syncs to and from connected data warehouses. |
| Manage API keys | Create and manage API keys and their permissions. |
| Permission | Description |
|---|
| View contacts | View contacts and their details. |
| Create contacts | Add new contacts. |
| Edit contacts | Update existing contacts, including their field values. |
| Delete contacts | Permanently delete contacts. |
Companies
| Permission | Description |
|---|
| View companies | View companies and their details. |
| Create companies | Add new companies. |
| Edit companies | Update existing companies, including their field values. |
| Delete companies | Permanently delete companies. |
Opportunities
| Permission | Description |
|---|
| View opportunities | View opportunities and their details. |
| Create opportunities | Add new opportunities. |
| Edit opportunities | Update existing opportunities, including their field values. |
| Delete opportunities | Permanently delete opportunities. |
Fields
| Permission | Description |
|---|
| View fields | View field definitions. |
| Create fields | Create new fields. |
| Edit fields | Edit existing field definitions. |
| Delete fields | Delete fields. |
Fields permissions control the field definitions themselves — the schema shared across your workspace. Editing the values stored on an individual record is included in that object’s edit permission, such as Edit contacts.
Blasts and workflow emails
| Permission | Description |
|---|
| View emails | View blasts and workflow emails. |
| Create emails | Create blasts and workflow emails. |
| Edit emails | Edit existing blasts and workflow emails. |
| Send blasts | Send a blast to its recipients. |
| Publish workflow emails | Publish a workflow email so it can send within a workflow. |
| View email performance | View performance and analytics for sent emails. |
| Delete emails | Permanently delete blasts and workflow emails. |
Templates
| Permission | Description |
|---|
| View templates | View email templates. |
| Create templates | Create email templates. |
| Edit templates | Edit existing email templates. |
| Delete templates | Permanently delete email templates. |
Workflows
| Permission | Description |
|---|
| View workflows | View workflows and their configuration. |
| Create workflows | Create new workflows. |
| Edit workflows | Edit existing workflows. |
| Activate workflows | Activate a workflow so it begins running. |
| Delete workflows | Permanently delete workflows. |
| Permission | Description |
|---|
| View forms | View forms and their submissions. |
| Create forms | Create new forms. |
| Edit forms | Edit existing forms. |
| Publish forms | Publish a form so it can collect submissions. |
| Delete forms | Permanently delete forms. |
Audiences
| Permission | Description |
|---|
| View audiences | View audiences and their members. |
| Create audiences | Create new audiences. |
| Edit audiences | Edit existing audiences. |
| Delete audiences | Permanently delete audiences. |
Ads
| Permission | Description |
|---|
| View ads | View ads and their performance. |
Campaigns
| Permission | Description |
|---|
| View campaigns | View campaigns and their members. |
| Create campaigns | Create new campaigns. |
| Edit campaigns | Edit existing campaigns. |
| Delete campaigns | Permanently delete campaigns. |
Campaign types
| Permission | Description |
|---|
| View campaign types | View campaign types. |
| Create campaign types | Create new campaign types. |
| Edit campaign types | Edit existing campaign types. |
| Delete campaign types | Delete campaign types. |
Campaign tokens
| Permission | Description |
|---|
| View campaign tokens | View campaign tokens. |
| Create campaign tokens | Create new campaign tokens. |
| Edit campaign tokens | Edit existing campaign tokens. |
| Delete campaign tokens | Delete campaign tokens. |
Folders
| Permission | Description |
|---|
| View folders | View folders and their contents. |
| Create folders | Create new folders. |
| Edit folders | Edit folders, including moving assets between them. |
| Delete folders | Permanently delete folders. |
Agents
| Permission | Description |
|---|
| View agents | View agents, their configurations, and sessions. |
| Create agents | Create new agents. |
| Edit agents | Edit agent configurations. |
| Delete agents | Permanently delete agents. |
API keys
API keys are granted a set of permissions, just like teams, so that programmatic access is limited to the actions you intend. Only administrators can create and manage API keys.
Grant each API key the narrowest set of permissions that still lets it do its job. If a key is ever exposed, least-privilege scoping limits what an attacker can reach.