Permission templates

Tenant-scoped capability overrides. Each template adds / removes capabilities on top of the role-derived defaults; the resolver applies them at every request. Edits are gated on workspace.settings.update. Open the permissions matrix →

Total templates

Active templates

All active

Cumulative grants

Sum across every active template

Cumulative revokes

Sum across every active template

Name	Scope	Applies to	Grants	Revokes	Memberships	Created
Estimator — exec view IDC convention: Estimators see the executive dashboard but cannot bulk-export reports.	workspace	Estimator	+1	-1	0	30 May 26	Edit →
Finance access bundle Grants finance.read_full to anyone holding Financial Controller or Finance Officer. Adjust the role list to widen / narrow finance visibility.	workspace	Finance OfficerFinancial Controller	+1	-0	1	30 May 26	Edit →
IDC Staff — baseline Tenant-wide baseline. Edit grant/revoke to layer overrides on top of role defaults.	workspace	All roles	+0	-0	6	30 May 26	Edit →

How templates blend with role defaults

Grants add capabilities on top of the role defaults. Portal users are still blocked from internal-only verbs even if the template lists them.
Revokes remove capabilities the role would otherwise hold. Useful for read-only audit users.
A template with an empty Applies to list affects every membership in the tenant; populated lists narrow the scope to the named roles.
Inactive templates persist their lists for re-activation but contribute zero grants / revokes to the resolver.

Permission templates

Total templates

Active templates

All active

Cumulative grants

Sum across every active template

Cumulative revokes

Sum across every active template

Name	Scope	Applies to	Grants	Revokes	Memberships	Created
Estimator — exec view IDC convention: Estimators see the executive dashboard but cannot bulk-export reports.	workspace	Estimator	+1	-1	0	30 May 26	Edit →
Finance access bundle Grants finance.read_full to anyone holding Financial Controller or Finance Officer. Adjust the role list to widen / narrow finance visibility.	workspace	Finance OfficerFinancial Controller	+1	-0	1	30 May 26	Edit →
IDC Staff — baseline Tenant-wide baseline. Edit grant/revoke to layer overrides on top of role defaults.	workspace	All roles	+0	-0	6	30 May 26	Edit →

How templates blend with role defaults

Grants add capabilities on top of the role defaults. Portal users are still blocked from internal-only verbs even if the template lists them.
Revokes remove capabilities the role would otherwise hold. Useful for read-only audit users.
A template with an empty Applies to list affects every membership in the tenant; populated lists narrow the scope to the named roles.
Inactive templates persist their lists for re-activation but contribute zero grants / revokes to the resolver.