How the Two Role Systems Interact

GLYPH has two separate role systems, and conflating them is the single most common source of admin confusion.

• Workspace roles — assigned when you invite someone. Govern what you can do across the whole workspace.
• Group roles — assigned per-group. Govern what you can do inside a specific group.

A user has exactly one workspace role at any given time, and a separate group role for every group they're a member of. The two systems run in parallel.

The mental model

The cleanest way to hold this in your head:

The workspace role decides whether you're allowed to touch a group at all. The group role decides what you can do once you're inside it.

Worked examples

A few cases that illustrate the interaction:

Workspace Admin, not a member of group X. You can still manage group X's membership and devices from the admin panel (workspace-level override). But you can't read its messages — you're not in the group.

Workspace User, Owner of group X. Inside group X you have full control: promote/demote, change crypto, rename, add/remove members. Outside group X your workspace-level powers are minimal.

Workspace Guest, Observer in a Broadcast group. Sees messages, can't post, can't browse for more groups. Hard ceiling.

Workspace Admin posting in a Broadcast group. Workspace Admins (along with group Owners and Managers) can post in Broadcast groups even without holding a group role that would normally allow it — another workspace-level override.

When something feels off

When permissions don't behave the way you expect, ask: which system does the permission live in? Almost every "why can/can't this person do X" question reduces to either a workspace-role question or a group-role question — or, occasionally, a workspace-level override of a group-level rule.