Roles & Permissions
Audience: End User, Admin
Page Type: Concept
Summary: Roles control what you can see and do in COS. Permissions depend on your role, your org unit scope, and item ownership.
What a role affects
In COS, your role typically affects:
- Menu visibility (which modules/pages appear)
- Actions you can perform (create/edit/approve/manage users)
- Scope (your own items vs your unit vs the whole organization)
Where permissions come from
When you try to do something in COS, the system checks a combination of:
- Role: your baseline access level
- Org scope: which unit(s) you're responsible for
- Ownership / assignment: whether you own the item or are assigned to it
- Workflow state: some actions can be restricted while an item is pending approval or locked
Role layers
COS uses a multi-layer authorization model. The table below explains what each layer means:
| Layer | Description | Example Roles |
|---|---|---|
| Platform | Full system administration | Super Admin |
| Holding / Group | Visibility across all companies in a group | Group Admin |
| Company (Tenant) | Your permission level within a single company | Admin, Strategy Manager, Team Lead, Member |
| Org Unit | Your position in the org chart | Team Lead, Member |
Note: A user can have permissions in multiple layers at once. For example, a Group Admin can also be an Admin within a specific company.
Typical roles
| Role | What they can do | Scope |
|---|---|---|
| Member | Works on assigned items; updates their OKRs/KRs/initiatives and KPIs | Own unit |
| Team Lead | Sees and manages their unit and sub-units; reviews progress for their team | Unit hierarchy |
| Strategy Manager | Manages strategy cycles, themes, and organization-wide planning artifacts | Entire company |
| Admin | Manages users, roles, org structure, and system settings | Entire company |
| Group Admin | Views and manages business data across all companies in their group; can manage users | All companies in group |
| Super Admin | Full platform-level permissions | Entire system |
Access matrix (summary)
| Capability | Super Admin | Group Admin | Admin | Strategy Manager | Team Lead | Member |
|---|---|---|---|---|---|---|
| OKR & KPI | ✅ | ✅ | ✅ | ✅ | Unit scope | Own items |
| Strategy modules (SWOT, BSC, PESTLE, etc.) | ✅ | — | ✅ | ✅ | See below* | View only |
| User management | ✅ | ✅ | ✅ | — | — | — |
| System / tenant settings | ✅ | — | ✅ | — | — | — |
| Platform administration | ✅ | — | — | — | — | — |
| Group management | ✅ | ✅ | — | — | — | — |
| Approvals (OKR, plans, etc.) | ✅ | ✅ | ✅ | ✅ | Ancestor units | — |
| Dashboard view | Platform | Admin | Admin | Strategy | Team Lead | Member |
* Team Lead strategy access: TL create/edit/delete requires the
unit_level_strategyfeature enabled on the Enterprise plan. See the table below for details.
Strategy module permission details
The table below shows Team Lead and Member permissions for each strategy module. Admin and Strategy Manager have full CRUD on all modules.
| Module | Plan Requirement | Team Lead | Member |
|---|---|---|---|
| SWOT Analysis | Business+ | View + CED* | View |
| PESTLE Analysis | Business+ | View + CED* | View |
| Porter Five Forces Analysis | Business+ | View + CED* | View |
| BCG Growth-Share Matrix | Business+ | View + CED* | View |
| Current State (As-Is) Analysis | Business+ | View + CED* | View |
| Balanced Scorecard (BSC) | Business+ | View + CED* | View |
| Resource Analysis & VRIO | Enterprise | View + CED* | View |
| Digital Maturity Assessment | Business+ | View + CED | View + Answer |
| Excellence Assessment | Business+ | View + CED | View + Answer |
| Findings | Business+ | View | View |
| Product Management | Business+ | View | View |
| Product SWOT | Business+ | View + CED* | View |
| Product Scorecard | Business+ | View + CED* | View |
| Strategic Themes | Business+ | View | View |
| Mission & Vision | Business+ | View | View |
| Strategic Cycles | Business+ | View | View |
| AI Assistant (Cesaire) | All Plans | Use | Use |
| Strategy Dashboard | Business+ | View | — |
CED = Create + Edit + Delete. Modules marked with
*require theunit_level_strategyfeature enabled on the Enterprise plan. When disabled, Team Lead has view-only access.
How Team Lead is determined
The Team Lead role is stored directly in the database as TEAM_LEAD. When a user is assigned as a unit leader in the org chart, the system automatically upgrades their membership role to TEAM_LEAD.
- Company leader: If you lead the root (company) unit, you gain company-wide visibility
- Division/team leader: You can manage your unit and all sub-units (recursively to the deepest level)
- Org page access: TEAM_LEAD and MEMBER users can view the org chart in read-only mode. TEAM_LEAD can assign members and leaders only within their own unit subtree
Org unit scope explained
Every user is assigned to one or more Organization Units in the org chart. Their scope — which records they can see and act on — follows that assignment.
| Scenario | Scope |
|---|---|
| Member of Unit A | Sees items owned by or assigned to Unit A |
| Team Lead of Unit A | Sees Unit A and all sub-units recursively |
| Root unit leader (company top) | Gains company-wide visibility |
| Strategy Manager | Sees the entire company regardless of unit assignment |
| Admin | Sees the entire company |
Ancestor unit approvals: When an OKR from Unit A is pending approval, the Team Lead of the parent (ancestor) unit can act as approver — in addition to Admins and Strategy Managers.
Your unit assignment is set by an Admin. If your scope seems incorrect, ask an Admin to verify your org unit assignment.
Common permission patterns (practical)
- If you can't see a menu, you likely don't have permission for that module.
- If you can see but can't edit, you may be outside the scope (different unit) or the item may be in an approval/locked state.
- Approvals can be configured per organization and per workflow.
Read-Only Mode
Some conditions restrict a user to read-only access even when they normally have edit rights:
| Trigger | Effect |
|---|---|
| Plan downgrade | If your tenant's plan no longer covers a module, its data becomes read-only |
| OKR Cycle closed | Once a cycle is closed, its OKRs, KRs, and measurements are frozen |
| Item in approval workflow | Items awaiting approval are locked until the approval resolves |
| Confidential item | Records marked confidential are read-only to everyone except the owner and assigned contributors |
Read-Only Mode is shown in the UI — action buttons disappear or appear disabled, and a notice typically explains the reason.
Feature Gate & Plan Access
Some modules are only available on specific subscription plans. When you navigate to a page not included in your plan, COS shows a plan upgrade prompt instead of the module.
| Feature | Minimum Plan |
|---|---|
| AI Assistant (Cesaire) | All plans |
| Strategy analysis modules (SWOT, BSC, PESTLE, Porter, BCG, etc.) | Business+ |
| Digital Maturity Assessment | Business+ |
| Excellence Assessments | Business+ |
| Reports | Business+ |
| Resource Analysis (VRIO) | Enterprise |
| DMA / Excellence template customization (Library) | Enterprise |
| Unit-level strategy — Team Lead create/edit | Enterprise |
If you see a plan upgrade prompt on a module you expect to have, ask your Admin to verify the current subscription plan.
What to do if something is missing
- Check whether you're in the correct workspace/tenant.
- Ask an Admin to confirm:
- your role
- your org unit assignment
- any approval workflow restrictions
Role Guide (in-app reference page)
COS includes a built-in Role Guide page accessible to all authenticated users at /account/roles-guide ("Role Guide" in the left menu).
It shows:
- Your current role and a brief description
- Cards for all 6 roles with a layer/scope summary
- A full Permission Matrix (~30 pages × 6 roles, using V/C/U/D icons)
- A Quick Comparison table for 10 key capabilities
- Expandable panels for: Org Unit Scope, Feature Gate (plan-based restrictions), Read-Only Mode, Approval Workflow
All authenticated users can access it regardless of role.