User Direct Permissions
Direct permissions let you grant a specific permission to one user without changing their role.
Use this when a single person needs access to something that the rest of their role should not have — for example, one buyer who also needs to approve purchase orders, without promoting everyone on the Buyer role.
How direct permissions work
Direct permissions are additive. A user has a permission if their role grants it, if an inherited role grants it, or if it has been granted directly. There is no deny mechanism.
Direct permissions survive a role change. If you move a user to a different role, their direct permissions come with them.
In any permission list, direct permissions are marked with a Direct source badge so it is always visible where the access comes from.
Add a direct permission to a user
- Go to Settings → Users.
- Open the user's profile.
- Click the Access tab.
- Find the permission in the direct grants section.
- Click Grant Permission.
- Optionally add a reason (shown in the audit trail).
The user gets the permission immediately.
Remove a direct permission
- Go to the user's Access tab.
- Find the permission in the direct grants list.
- Click Revoke.
The permission is removed immediately.
View a user's effective permissions
The user's Access tab shows all effective permissions in one list, with a source badge for each:
| Badge | What it means |
|---|---|
| Role | Comes from the user's directly assigned role |
| Inherited | Comes from a role that the user's role inherits from |
| Direct | Granted directly to this user |
Things to know
- You need the Edit Permissions permission to add or remove direct permissions.
- Direct permissions are scoped to the tenant — they only apply within the workspace where they were granted.
- The same prerequisite rules apply as for roles. You cannot grant a permission whose prerequisite is not already met.
- For managing permissions across a whole role, use The Permissions Manager instead.