Roles and permissions
Understand the various roles within Runway and what permissions are tied to each
At the heart of every successful finance team is collaboration, but we know that protecting sensitive data is just as important. Runway’s permissions system makes it easy to manage access, whether you’re bringing in internal team members or external stakeholders (like board members and investors)—that’s why Runway offers four different roles, each with different access levels to resources.
Glossary
Before diving into the specifics of different roles and the process of provisioning new users in Runway, here are a few key terms:
- Resource — A Model, Database, or Page in Runway.
- Role — Defines a user's overall access level in Runway.
- Access level — Determines what actions a user can take within a specific resource.
Access levels
Runway allows for different access levels on a resource-by-resource basis:
- No access — The resource is hidden from the user, and it won't appear in their left navigation menu.
- Can view — The user has read-only access to the resource, and can't perform any actions.
- Can edit — The user can modify data, but cannot modify other users' access to it.
- Full access — In addition to editing the resource’s data, the user can change other users’ access, and duplicate or delete the resource.
Roles in Runway
There are four roles with varying levels of access and permissions:
- Admin — A superuser with full access to all data, who can perform all actions in Runway. This role is typically limited to members of the finance team who are the primary owners of your model.
- Manager — A user who needs full access to your data, but is restricted from anonymized sensitive information. They don’t have ability to make organization-level changes, such as merging scenarios into your main scenario.
- Member — A user who does not have access to any resources by default—they must be explicitly given access to resources. We recommend this for the majority of users in your organization.
- Guest — A user who has view-only access to a limited set of resources. Recommended for users outside your organization, like board members and investors.
Here are the default capabilities for each role:
Admin | Manager | Member | Guest | |
See and edit pages, models, and databases | Have full access to all resources. | By default, they have full access to all resources.
Their access to specific resources can be adjusted to 'can edit', 'can view', or 'no access' as
needed.
More details about the different access levels. | Don’t have access to any resources by default.
They must be explicitly given access to a resource to view it. Their access level can vary from one resource to another (’full access’, ‘can edit’, ‘can view’).
More details about the different access levels. | Don’t have access to any resources by default.
They must be explicitly granted access to a resource to view it.
Guests can’t perform any edits. |
Accessing and tracing the details view or drill-ins of a specific driver or database object | Can open the details view of any driver or database object and freely drill into any of its dependents. | Can open the details view and see the dependents (inputs, used by, plans). However, they can only navigate to the details view of a dependent that resides in a resource they have permission to access.
Can see indirect inputs. | Can open the details view and see the dependents (inputs, used by, plans). However, they can only navigate to the details view of a dependent that resides in a resource they have permission to access.
Can’t see indirect inputs. | Can’t open the details view. |
See and edit existing scenarios | Can access and edit all published and non-published scenarios. | Can only access published scenarios.
If you grant edit or full access to a resource, the Manager can edit the Page in all published scenarios | Can only access published scenarios.
If you grant edit or full access to a resource, the Member can edit the Page in all published scenarios | Must be granted explicit access to scenarios for each resource shared with them.
Guests can’t perform any edits. |
Access the integrations section, delete, and set up new ones | Full access to integrations. | Can authenticate new integrations, but can’t see the output or queries. | Can authenticate new integrations, but can’t see the output or queries. | 🚫 |
Create a scenario | ✅ | ✅ - By performing edits to resource they have access to. | ✅ - By performing edits to resource they have access to. | 🚫 |
Move Last Close date | ✅ | ✅ | 🚫 | 🚫 |
Create a new resource: pages, models, and databases | ✅ | ✅ | 🚫 | 🚫 |
Modify resources hierarchy like moving a page to a different section in the left navigation | ✅ | 🚫 | 🚫 | 🚫 |
Review & merge scenarios into Main | ✅ | 🚫 | 🚫 | 🚫 |
Publish a scenario | ✅ | 🚫 | 🚫 | 🚫 |
See, edit, or reveal anonymized data | ✅ | 🚫 | 🚫 | 🚫 |
Edit the org-wide settings (general, billing, users, APIs, dimensions) | ✅ | 🚫 | 🚫 | 🚫 |
Resource access level breakdown
A user's access level can differ across resources. For example, a user may have view access to one database, edit access to some models, and full access to a particular page. The comparison below illustrates what a user can do with a specific resource, depending on their access level for that resource.
Many of the edits in the table below are scoped to a scenario that requires an admin's review and merge before they appear in your main scenario. You can find more information about Scenarios here.
Full access | Can edit | Can view | |
Edit formulas | ✅ | ✅ - In the formula editor, they can only reference other drivers or database objects that are in a resource they have access to. | 🚫 |
Add, reference, or delete drivers | ✅ | ✅ - When referencing an existing driver, they can only reference other drivers within resources they have access to. | 🚫 |
Add or delete blocks on a page | ✅ | ✅ - When adding new drivers or database blocks they can only reference drivers or database rows that are in a resource they have access to. | 🚫 |
Add or delete database objects to a block | ✅ | ✅ | 🚫 |
Edit actuals | ✅ | ✅ | 🚫 |
Edit forecast values | ✅ | ✅ | 🚫 |
Edit values in detail pane | ✅ | ✅ - in the detail pane, can edit values that are in a resource they have access to. | 🚫 |
Change KPIs and formatting, such as colors, indenting and descriptions | ✅ | ✅ | 🚫 |
Customize blocks: show/hide properties, change the rollup, date range, or comparison config. | ✅ | ✅ | 🚫 |
Delete the resource | ✅ | ✅ | 🚫 |
Add, remove, or change the access level of a user to resource | ✅ | 🚫 | 🚫 |
Viewing and managing permissions
Centralized permission management
- Go to
Settings
, and clickUsers
.
- You’ll see a list of all users and their roles.
- Adjust permissions by selecting the appropriate access level from the dropdown menu next to each resource.
User-specific views
- From the
Users
tab inSettings
, click on any user’s name.
- A detailed breakdown will show which models, databases, and pages the user can access.
- To update permissions, click
Edit
and adjust access levels for individual resources.
Provisioning new users
You can add users to your Runway organization in two ways: from the Settings menu or via the Share menu in a specific resource.
We recommend:
- Using
Settings
if you're adding admins, managers, or members.
- Using
Share menu
for adding guests—you can do this directly from the resource you want them to access.
1. Adding users from Settings
- Go to
Settings
>Users
.
- Enter email addresses (space-separated or comma-separated), and assign roles (admin, manager, or member).
- Click
Invite
.
You can distinguish between users who have accessed Runway at least once since being added to your organization and those who have never visited Runway by looking at their avatar—users who have never visited won’t have profile photos.
2. Adding users via the Share menu
- Open the model, page, or database you want to share.
- Click
Share
at the top-right corner.
- Enter the user’s email, and assign their access level.
This method is ideal for adding guests, or external users with limited access.
A text box is also available for adding users to this resource. Start typing their email. If the user is already part of your organization, their name will appear in the dropdown menu. If it's a new user, you'll be prompted to invite them. You can also paste a list of emails separated by spaces or commas.
Users who are added for the first time through the share menu are assigned a Guest role. You can change their role in the Settings if necessary.
From this list, you can adjust a specific user's access level to the resource:
- For Guests — Choose between 'Can view' or 'No access'.
- For Members & Managers — Options include 'Can view', 'Can edit', 'Full access', or 'No access'.
- For Admins — They automatically have 'Full access' to all resources.
Navigate to the "Guest Settings" tab to define the scenarios that guests can view on this resource. By default, only the Main scenario is selected. Keep in mind, shared scenarios are determined on a per-resource basis and impacts all guests.
For easy mass guest addition, enable the "Guest invite link". Anyone with this link can access the resource. If a user has never been added to Runway before and they log in through that link, they will appear as a guest in your user list.
Admins impersonating other users
This feature is exclusively available to users with an Admin role. If an admin needs to view Runway from another user's perspective, they can impersonate that user. This is particularly helpful for testing permissions and access issues reported by team members. To do this, navigate to Settings > Users, then click on the impersonate icon next to the desired user. Note that Admins can’t impersonate other Admins.
FAQ
I added some users in Settings, but they don't show up when I type their email in the share menu of a specific resource. Why is that?
After adding new users, a hard refresh is required for the changes to be reflected throughout the product. We recognize that this can be confusing, and we're working on a solution.
I added some users, but they didn't receive an email notification from Runway. Is this expected?
Yes, it's expected. Currently, we don't send an email invite when you add users to Runway. We believe that as the model owner, you should control the timing and context of introducing your team and collaborators to Runway. You can directly share your organization's URL or the URL of a specific resource with them. Upon login, they'll have access to the pages they're permitted to view.
How do I modify the permissions of an existing user? Do I do this in settings or in the share menu of a certain resource?
To completely remove a user, go to the settings page. The settings page is also where you can change a user's role (e.g., guest, member, manager, admin). However, if you want to modify a user's access level (can view, can edit, full access) for a specific resource, make this change in the share menu of that resource.
Last updated on January 29, 2024