Authorium uses a role-based permissions model at two levels: the organization level and the project level. Organization roles govern platform-wide administrative capabilities, while project roles determine access within individual projects. This structure ensures user access is limited to the actions required to perform their responsibilities and supports strong security boundaries.
Organization roles define permissions affecting the entire organization account. The three default organization roles are:
Account Owner: Highest level of authority. Always has full and unrestricted permissions for all organization-level and project-level administrative actions. These permissions cannot be modified or reduced.
Admin: Has broad administrative access with some limitations. Permission toggles can be enabled or disabled based on organizational needs.
Project Creator: Can create and manage projects. Has restricted access to organization-wide configuration settings.
Key characteristics:
Each organization must have at least one Account Owner.
Organizations may have multiple Account Owners.
Account Owner permissions are always on and cannot be changed.
Additional Account Owner, Admin and Project Creator permissions can be configured through the Roles and Permissions table.
Users may participate in project roles even if they do not hold an organization-level role.
Project roles govern actions within a specific project. The standard project roles include Project Owner, Project Manager, Editor, Contributor, External Guest, Reviewer, and Viewer. Project Owners have unrestricted control over all modules within the project. Other roles have permission-based access.
Users can also be assigned custom project roles, which begin in view-only mode until permissions are manually enabled.
This section documents how Account Owners are created, managed, and removed in Authorium. These actions support secure lifecycle management of privileged accounts.
Creation of a New Organization
When a new organization is created in Authorium, via Authorium’s App Administration panel, the creator is required to provide a valid email address for an initial Account Owner.
The organization cannot be created without designating this initial Account Owner.
Automatic Assignment of Account Owner Role
The user associated with the provided email is created as the first member of the organization.
This user is automatically assigned the Account Owner role.
All Account Owner permissions are granted immediately and cannot be modified or disabled.
Adding Additional Account Owners
Once the initial Account Owner is active, they may add additional Account Owners.
Additional Account Owners are added from the Organization Members page.
Any existing Account Owner has rights to update another user’s role and assign them the Account Owner designation.
Removal of Account Owner Role
Account Owners may remove other Account Owners from their role through the Organization Members page.
Removal follows the same workflow as updating any member’s role.
The user is downgraded to the selected non-owner organization role or may be archived if appropriate.
System Safeguard: Must Maintain at Least One Account Owner
The system prevents removal of the final remaining Account Owner.
At least one active Account Owner must exist at all times to ensure continued administrative control.
Archiving an Account Owner
Before archiving an Account Owner, another Account Owner must be assigned.
After a successor is designated, the outgoing Account Owner can be archived like any other member.
The Account Owner role is the foundational administrative role within Authorium. It is always created at organization inception, holds full and permanent access, and is responsible for governance of additional privileged roles. The setup and removal workflows follow a predictable, fully auditable pattern based on role assignment through the Organization Members page, with system-level protections ensuring that privileged access is never left without coverage.