# User permissions

Comind.work controls what users can see and do through workspace roles, permission groups, and granular access controls at the app, record, and field level.

## Workspace roles[​](#workspace-roles "Direct link to Workspace roles")

Each workspace includes three predefined roles:

* **Workspace admin**: full administrative access to the workspace
* **Workspace user**: standard user access with configurable permissions
* **Inactive workspace user**: restricted access for users who no longer actively participate

## Permission groups[​](#permission-groups "Direct link to Permission groups")

For more advanced permission scenarios, you can use groups to organize users. For instructions on creating and managing groups, see [manage groups and permissions](/admin-guide/workspace-admin/manage-groups-permissions.md).

* **Global groups (METAMETA)**: created by system administrators and available across all workspaces
* **Workspace groups**: managed by workspace administrators and specific to the current workspace

## App, record, and field-level access[​](#app-record-and-field-level-access "Direct link to App, record, and field-level access")

When multiple permission rules apply, the most restrictive rule wins. Workspace admins and system admins are exempt from this restriction - they always have full access regardless of ACL rules.

### App-level access[​](#app-level-access "Direct link to App-level access")

Users need permission to view and interact with specific apps within the workspace.

### Record-level permissions[​](#record-level-permissions "Direct link to Record-level permissions")

Access to individual records can be:

* **Predefined**: set by default rules when records are created
* **Dynamic**: updated on a per-record basis as needed

### Field-level visibility[​](#field-level-visibility "Direct link to Field-level visibility")

Specific fields within records can be hidden from certain users or groups, providing granular control over sensitive information.

## Action permissions[​](#action-permissions "Direct link to Action permissions")

### Preconditions[​](#preconditions "Direct link to Preconditions")

Users can only see and perform actions they're authorized to execute. Unauthorized actions are automatically hidden from the interface.

### Data consistency rules[​](#data-consistency-rules "Direct link to Data consistency rules")

Post-conditions ensure data integrity by preventing certain changes to records, which users often perceive as permission restrictions.

## Related[​](#related "Direct link to Related")

* [Permissions matrix](/admin-guide/workspace-admin/permissions-matrix.md) - detailed breakdown of what each role and group can do