Manage Roles and Permissions

ftrack provides role-based access control, which allows you to restrict selected system access to authorized users.

It comes with various built-in customizable default user roles, but it also allows you to create new custom roles, restricting user permissions of who can see and do what throughout the system.

Manage Roles

ftrack roles/permissions can be managed by an Admin or a role with Global permissions access to Manage settings.

To access the Roles page:

  1. Click on your Profile icon at the top-right and open System settings.
  2. Choose Security Roles.


Default Roles

ftrack comes with five pre-configured user roles that fit most studios and can be used without further customization.

Default user roles:

  • Restricted User - This user can only see the project they are assigned to and only change the status of assigned tasks.
  • Administrator - This user can change everything in ftrack, add and remove users and see all data in the system.
  • Project Manager - This user can create, edit and remove projects and project-related objects (except users).
  • User - This user can see all open projects and change the status of all tasks. 
  • API - This user role can only be used to generate global API keys.
Please note: You currently cannot reset a role to the initial default permissions in the UI. Therefore we recommend first making a clone/copy as a backup if you want to make changes.


Setting the Default Role for New Users

When creating a new user account, it will automatically be given a default role which can be updated within System settings.

To update the setting:

  1. Go to System settings > Security > Settings.
  2. Click the drop-down menu of the Default role setting and choose your preference.
  3. Save the setting.


Create a New Role

To create a new customized role, follow these steps:

  1. Go to System settings > Security > Roles page.
  2. Click the Create button, opening a new Role editor window.


Role editor window:

The Role editor enables you to customize all permissions for that role from the bottom up. From allowing a role to only see a specific dashboard or only change and save a value in a custom attribute or deciding what a user with a particular role should be allowed to edit and delete. 

Best practice: Administrator-level roles that can perform most or all actions, specifically System Settings, should be kept to a minimum so there is only one or a select few agreed-upon users that have control over the functionality of the workspace and workflows.


  1. Type in a Name for the role.
  2. Choose the Role type from the drop-down menu.


The Role type is essential because it decides the available permission set to modify on the role. Each type has a different permission set.

Three Role types to choose from:

  • Assigned - This Role type is only allowed to perform actions they have permission to act on for assigned tasks. This will also limit the user to only seeing projects with tasks they are assigned.
  • Project - This Role type is allowed to perform actions they have permission to perform project-wide on specified projects.
  • API - This Role type can be used to generate global API keys.
  1. Choose what a role can do by checking and/or unchecking the boxes in front of the actions you want the role to be allowed to perform.


List of different permission groups and permissions:

Global permissions (system-wide)

  • Manage users - Resource management within System Settings
  • Can view component details
  • Manage global events
  • Can access overview
  • Can share views with everyone
  • Can save a view as global default
  • Can view reports
  • Manage settings - these are the workspace System Settings, apart from User management which is included in 'Manage Users'.
  • Create projects
  • Can access projects
  • Can access my tasks
  • Create project dashboard
  • Share dashboard with everyone
  • Can manage user api keys
  • Can a manage custom widgets
  • Can create new external collaborators
  • Can access planning

Project Permissions (project-specific)

  • Manage team
  • Can save a view as project default
  • [API] Manage other users timelogs
  • Access other users timelogs
  • Manage project events
  • Manage object links
  • Can change status of a task
  • Can change status of a version
  • Update objects (sequence, shot, task)
  • Read bid
  • Delete objects (sequence, shot, task)
  • Delete project
  • Create attributes
  • Create objects (sequence, shot, task)
  • Create list
  • Add objects to list
  • Remove objects from list
  • Edit manager
  • Delete versions
  • Manage user access to project
  • Update project
  • View client review session
  • Manage client review session
  • Move objects

These permission groups are created to handle most production use cases and cover all the common permissions for each role while allowing users granularity.

Please note: The available permission sets and individual permissions you can select from depend on the Role type you are selecting.

  1. Save the setting.

Clone a Role

While creating a new user role, you can save time by using the Clone option to base your new role on an existing one:

  1. Click the Clone button.
  2. Use the drop-down menu to select which role you want to base it on. Rename the role in the Role name field (top-left).
  3. Save the setting.


Edit a Role

You can edit an existing role using the same Role editor dialog as when adding a new role. Go to System settings > Security > Roles.

To access the Role editor dialog, hover over the role you want to update and click the Edit (pencil) icon.


Delete a Role

To remove a role, click the Delete (trash can) icon in the shortcuts column, opening a new dialog box.


Click the red Delete button to confirm the removal.


Confirm a User's Role

To see which role a user has, go to System settings > Resources > Users and Groups. Each user's account record has a Roles attribute (see column) where you can see their assigned user role(s).


Assign a Role to a User

Once the roles are created or updated, you can assign them to specific users.


Go to System settings > Resources > Users and Groups to find your Users page.



Hover over a user whose role you want to change and click the Person/Roles icon to the left of their profile picture. This opens the Role Manager for that user.



If you are replacing an existing role for the user, hover over the existing role on the left of the dialog and click the Trash icon to remove it. 


If you are adding another role in addition to the existing role, there is no need to delete the existing role - move to step 4.

Tip: You can add more than one role to a user so they can have different roles for different projects.


At the top left, there is the Roles dropdown menu. Click the 'Select...' empty field to open the menu and select the new role.



Click ADD to confirm that role for your user.



Select the newly added role in the left pane, and from the right pane, toggle their access for All Open Projects to the desired setting. Repeat for each role (if there is more than one).

  • Toggle ON = User has access to all projects not listed as private
  • Toggle OFF = User needs to be invited to each project, private or not.



Optional: If you want to give the user access to private projects, select the project from the Projects dropdown list and click ADD. Repeat if you have more than one private project to add.

And then, repeat the full step for each role if you have multiple roles for the user.



Click Save Changes to complete the update.



Was this article helpful?
1 out of 4 found this helpful

Articles in this section