.png)
Roles & Permissions
Access in Bluprint follows one simple idea: people get exactly the access their role needs — no more. That keeps work secure, makes adding and removing people easy, and gives you a clean trail for compliance.
Three scopes
Permissions apply at three levels, from broad to narrow:
| Scope | Decides |
|---|---|
| Company | Your overall role and what you can do across the organisation. |
| Workspace | Which workspaces you can reach, and your role within them. |
| Project | Whether you're a member of a specific project's work. |
Your company role sets the ceiling; workspace and project membership decide where that role applies.
Four levels of capability
Underneath every role is one of four capability levels:
- None — no access to project work at all
- Read-only — can view, but not change
- Read/write — can view and make changes
- Admin — full control, including managing and deleting
Each role maps to one of these levels, and every action in Bluprint requires a minimum level to perform.
Principles that keep it safe
- Least privilege. Roles grant only what's needed, so a smaller set of people can make far-reaching changes.
- Membership is the source of truth. Access is always checked against your current membership — not a cached token. If your role is changed, the new limits apply immediately; old access can't linger.
- It fails closed. If a permission can't be confirmed, the answer is no. Access is never granted by default or by accident.
The same rules apply to the AI
The Associate and the AI Helpers operate inside these exact permissions — the AI can never do something your role couldn't.
In this section
- Company roles — the eight roles and what each can do.
- Project & workspace access — where your role applies.
- AI access by role — how AI is gated.
- Audit trail — the record of who did what.
- Common scenarios — which role to use when.
Next
Last updated: 2026-05-31