Roles and Permissions
Access to a memo in Canvas is governed by your deal role. There are four roles, ordered from most to least capable, and they form a strict hierarchy: a higher role can do everything a lower one can, plus more.
The four roles
Section titled “The four roles”| Role | Level | Can do |
|---|---|---|
| Owner | 4 | Everything below, plus approve/reopen the memo, share the deal, manage collaboration, and delete the deal |
| Editor | 3 | Everything below, plus edit memo content directly, save, apply AI suggestions, and acquire section edit locks |
| Commenter | 2 | Everything below, plus post comments and replies, resolve/react, submit feedback ratings, and propose suggestions |
| Viewer | 1 | Read the memo and all comments |
The hierarchy is numeric — owner (4) > editor (3) > commenter (2) > viewer (1) — and every gated action checks your role against the minimum it requires. If your role is too low, the action is refused with a clear message telling you what role it needs.
What each role unlocks, concretely
Section titled “What each role unlocks, concretely”- Viewer — read-only. You see the full memo and every comment thread, but you can’t change the document, comment, or react. In the editor you’re in viewing mode and nothing else.
- Commenter — you participate in review without changing the document directly. You can comment, reply, resolve, react, and submit section feedback ratings. Your edits to the text are always suggestions (you work in suggesting mode), which someone with edit rights accepts or rejects.
- Editor — you change the memo. Direct editing, saving, applying AI suggestions, and (in the non-collaborative path) holding a section edit lock. Editors can do everything to the content but cannot cross the approval boundary.
- Owner — full control of the deal. Owners alone can approve and reopen the memo (the document-state transitions), share the deal and manage invites, enable or disable collaboration on a document, and delete the deal.
Roles map to editor modes
Section titled “Roles map to editor modes”Your role, combined with the document’s state, decides which editor modes you get:
| Role | Draft / Editing | Approved |
|---|---|---|
| Owner / Editor | view, suggest, edit | view, suggest |
| Commenter | suggest | suggest |
| Viewer | view | view |
So even owners and editors drop to view/suggest once a memo is Approved — directly editing again requires an owner to reopen it first.
Sharing a deal and inviting people
Section titled “Sharing a deal and inviting people”A deal owner grants others access by sharing the deal and assigning each person a role. You can share with someone who already has a Canvas account, or with an email address that doesn’t have an account yet.
When you invite an email that isn’t yet a Canvas user, Canvas creates a pending invite. There are two kinds:
- Deal invite — grants access to a specific deal (at the role you chose) when accepted.
- Org invite — adds the person to an organization (at the specified role) when accepted.
Invites auto-resolve on login
Section titled “Invites auto-resolve on login”Pending invites are not something the recipient has to hunt down. When the invited person creates an account or signs in (via the magic-link flow), Canvas automatically resolves all pending invites for their email address:
- Pending deal invites grant the deal access and are marked accepted.
- Pending org invites add the user to the organization at the specified role.
The recipient simply logs in and finds the deal (or org) already available — no manual “accept invitation” step to chase down. Invites are matched on a normalized email (whitespace-trimmed, lower-cased), so a stray space in the invited address doesn’t cause a silent miss.
The superadmin
Section titled “The superadmin”Separate from the four deal roles, Memosa has a superadmin capability for platform operators. A superadmin is automatically treated as the Owner of every deal, across every organization .
Concretely:
- When a superadmin accesses any deal, Canvas sets their deal role to owner for that deal — they have full owner capabilities everywhere, without needing to be individually shared on each deal.
- Subscription feature gates also bypass for superadmins: a superadmin always passes a feature check regardless of the org’s plan.
- Superadmins can perform emergency operations ordinary owners can’t — for example, an emergency REST save on a collaborative document, which is otherwise rejected (see Real-Time Collaboration).
This is platform-operator access, not a deal role you assign. Every superadmin deal access is audited — a record is written each time, so the access trail is complete for review.
Sources
Section titled “Sources”src/canvas/auth/permissions.py—ROLE_HIERARCHY(owner 4 > editor 3 > commenter 2 > viewer 1);require_deal_roleenforcement;RequireOwner/RequireEditor/RequireCommenter/RequireViewersrc/canvas/auth/middleware.py— superadmin →deal_role = "owner"on all deals (superadmin supremacy), synchronous audit of every superadmin deal accesssrc/canvas/auth/feature_permissions.py— superadmin bypass of plan feature gatessrc/canvas/routes/canvas_routes.py— owner-gated approve/reopen/delete/collab controls; editor-gated save; superadmin emergency-save overridesrc/canvas/routes/comment_routes.py— viewer reads comments; commenter posts/replies/resolves/reactssrc/canvas/services/pending_invite_service.py— deal vs. org invites, magic-link account creation triggersresolve_invites_for_email(), auto-resolution of all pending invites for an emailcanvas-ui/src/utils/editorModeDerivation.ts— role × document-state → available editor modesmemory/canvas_auth_rbac.md— RBAC roles, deal-access table as primary source, tenant isolation, superadmin audit