Permissions
Overview
Ziptask uses an attribute-based permission model. Each role owns a set of resource + action + scope permissions that determine exactly what its members can see and do. System roles cover the most common configurations out of the box; custom roles let Root users build tailored access for their specific workflows.
Permission Scopes
Each permission has a scope that controls which records the role can act on:
| Scope | Meaning |
|---|---|
account | Any record within the account — no ownership restriction |
team | Records belonging to the member’s teams, plus any they created or are directly assigned to |
own | Only records the member created or is directly assigned to |
System Roles
All accounts include five built-in system roles. They cannot be edited or deleted.
Root
One per account. Full access to every resource including billing, feature flags, and role management.
What Root can do: Everything Admin can do, plus toggle feature flags, manage billing and subscription, create and delete custom roles, and change any member’s role.
Admin
What Admin can do: See all task lists across the account. Create, edit, delete, assign members to, and approve items on any list. Manage all teams, members, projects, tags, and templates. View reports and account-wide activity. View the store.
| Resource | Actions | Scope |
|---|---|---|
| Task Lists | read, create, update, delete, assign, approve | account |
| Teams | read, create, update, delete | account |
| Members | read, create, update, delete | account |
| Projects | read, create, update | account |
| Templates | read, create, update, delete | account |
| Tags | read, create, update, delete | account |
| Reports, Activity Log, Store | read | account |
Team Admin
Requires:
teams_enabledfeature flag on.
What Team Admin can do: Fully manage task lists, items, and team membership within their own team(s). See all members and account-level resources (templates, tags, store) but cannot create or modify them. Cannot create or manage projects — that is an Admin/Root responsibility.
| Resource | Read scope | Write scope (create / update / delete / assign / approve) |
|---|---|---|
| Task Lists | team | team |
| Task Items | team | team |
| Teams | account | team (own teams only) |
| Members | account | — (read-only) |
| Templates | account | — (read-only) |
| Tags | account | — (read-only) |
| Attachments | team | team |
| Reports, Activity Log | team | — |
| Store | account | — |
Team User
Requires:
teams_enabledfeature flag on.
What Team User can do: See all task lists belonging to their teams. Create and manage their own lists. Pick up, complete, comment on, and upload attachments to any list on their teams. Browse and redeem from the store. Cannot approve items, manage templates or tags, or see lists outside their teams.
| Resource | Actions | Scope |
|---|---|---|
| Task Lists | read | team |
| Task Lists | create, update, delete | own |
| Teams | read | team |
| Members | read | account |
| Templates | read | account |
| Store | read | account |
User
What User can do: See and manage task lists they created or are directly assigned to. Pick up, complete, comment on, and upload attachments to those lists. View the full member directory, available templates, and the store. Cannot see other members’ private lists, cannot approve items, cannot manage any account-level resources.
| Resource | Actions | Scope |
|---|---|---|
| Task Lists | read, create, update, delete | own |
| Members | read | account |
| Templates | read | account |
| Tags | read, create | account |
| Billing | read | account |
| Store | read | account |
What permissions control
Task list access and item interactions
A member’s ability to interact with a task list — create items, complete them, comment, or upload attachments — flows entirely from their Task List permissions. There is no separate “Task Items” resource; everything within a list is gated by whether the member can update that list.
| Task List permission | What it unlocks |
|---|---|
read | See the list and its items, comments, and attachments |
create | Create new task lists |
update (own/team) | Add items, pick up and complete items, comment, upload and delete own attachments, edit list title/description/due date |
update (account) | All of the above on any list, plus set point values, configure approval requirements, assign items to members, delete any attachment, and reset completed items |
delete | Delete a task list |
assign | Add or remove member assignments on a list |
approve | Approve or reject items submitted for approval; reset completed items |
Scope and readonly lists
If a member has task_list:update:own or task_list:update:team scope and they reach a list they did not create and are not assigned to, that list appears read-only — they can view it but cannot add items, comment, or upload attachments. Readonly status is per-member, per-list.
Custom Roles
Requires: Starter plan or above.
Root users can create custom roles from the Roles page (accessible via the Roles nav item in the sidebar). Custom roles work identically to system roles — they own a set of resource + action + scope permissions and are assigned to members via the invite flow or the member detail page.
Permissions available to custom roles:
| Resource | Available actions | Scope restriction |
|---|---|---|
| Task Lists | read, create, update, delete, assign, approve | own / team / account |
| Projects | read, create, update, delete | own / account |
| Teams | read, create, update, delete | team / account |
| Members | read, create, update, delete | team / account |
| Templates | read, create, update, delete | account only |
| Tags | read, create, update, delete | account only |
| Reports | read | own / team / account |
| Activity Log | read | own / team / account |
| Project Costing | read | own / account |
| Store | read, create, update, delete | account only |
| Roles | read, create, update, delete | account only |
Billing and feature flag permissions are not available to custom roles — those remain exclusive to Root.
Note on attachments: Attachment access is not a separate permission. Uploading and viewing attachments on a task list is governed by the member’s Task List permissions —
updatescope grants the ability to upload and delete their own attachments;update:accountadditionally allows deleting any member’s attachments.
Account-only resources: Templates, Tags, Store, and Roles do not have a meaningful own or team scope. The permission grid restricts these to account scope only.
Team/account-only resources: Teams and Members have no individual ownership concept (no creator FK on the entity), so own scope is not available. The permission grid offers team and account scope only.
Project Costing scope: own means the member can only view cost data for projects where they are the assigned project manager. account grants visibility into cost data for all projects.
Scope cascade rule: Setting any write action to a scope automatically raises the read scope to at least the same level (e.g. setting update = team forces read ≥ team).
Deleting custom roles: Deleting a role that has members assigned shows a warning indicating how many members will be affected. On confirmation, the role is deleted and those members’ role assignment is cleared — they will have no role until Root reassigns them.
When changes take effect: After editing a custom role, members will see the updated permissions on their next login or token refresh — typically within 15 minutes.
Support Notes
- Roles are assigned per account membership. A user can have different roles in different accounts.
teams_enabledmust be on for Team Admin and Team User to appear as options in the role picker. If an admin cannot see those roles when inviting a member, check the feature flag in Account Settings.- Item approval — approving/rejecting a submitted item or resetting a completed item — requires
task_item:approve. Root and Admin have this at account scope; Team Admin has it at team scope (own teams only). If a custom role needs approval authority, add the appropriatetask_item:approvegrant. - A member on a readonly list (they have update scope but are not the creator or assignee) can still view all items, comments, and attachments — they just cannot add or change anything.
- After editing a custom role, members will see the updated permissions on their next login or token refresh (typically within 15 minutes).
- Custom roles are available on Starter plan and above. The Roles page is accessible to Root on all plans but shows an upgrade prompt instead of the New Role button on Free.