Roles and permissions
Understand the various roles within Runway and what permissions are tied to each
At the heart of every successful finance team is collaboration, and that's where Runway shines. But we also acknowledge the sensitivity of the data you entrust to us. That's why Runway offers four different roles, each with different access levels to resources. We’ve designed permissions to cover a wide spectrum of use cases - from granting access to internal team leaders to accommodating external stakeholders like board members and investors.
Glossary
Before we dive into the specifics of different roles and the process of provisioning new users in Runway, let's familiarize ourselves with some terminology used throughout this article:
- Resource — This term can refer to a Model, Database, or Page.
- Role — Runway offers four roles:
- Admin — Think of this as a superuser who can access all data and perform all actions in Runway. This role is typically limited to members of the finance team who are the primary owners of your model.
- Manager — This role is for users who need full access to your data, with the exception of anonymized sensitive numbers. They also don’t have ability to make organization-level actions, such as merging scenarios into your main scenario.
- Member — Recommended for the majority of users in your organization. Members do not have access to any resources by default. They must be explicitly given access to a resource which you can choose to share with full, edit or view access.
- Guest — Recommended for users outside your organization. It only allows view access to the limited set of resources you choose to share, such as board members and investors.
- Access level — When a user has access to a specific resource, you can define their access level to that resource. The options are:
- No access — The user can't access the resource, and it won't appear in their left navigation menu.
- Can view — The user has readonly access to the resource and can't perform any actions.
- Can edit — The user can edit the data in the resource, but can't modify other users' access levels to it.
- Full access — In addition to editing the resource’s data, a user can change other users’ access, duplicate, and delete the resource.
Roles
Runway offers four distinct roles. The comparison table below details the default capabilities for each role.
In addition to assigning roles, you can also set different access levels for guests, members, and managers on a resource-by-resource basis. After reviewing the table, we suggest reading the "Resources Access Level in Runway" section.
Admin | Manager | Member | Guest | |
See and edit pages, models, and databases | Have full access to all resources. | By default, they have full access to all resources.
Their access to specific resources can be adjusted to 'can edit', 'can view', or 'no access' as
needed.
More details about the different access levels. | Don’t have access to any resources by default.
They must be explicitly given access to a resource to view it. Their access level can vary from one resource to another (’full access’, ‘can edit’, ‘can view’).
More details about the different access levels. | Don’t have access to any resources by default.
They must be explicitly granted access to a resource to view it.
Guests can’t perform any edits. |
Accessing and tracing the details view of a specific driver or database object | Can open the details view of any driver or database object and freely drill into any of its dependents. | Can open the details view and see the dependents (inputs, used by, plans). However, they can only navigate to the details view of a dependent that resides in a resource they have permission to access.
Can see indirect inputs. | Can open the details view and see the dependents (inputs, used by, plans). However, they can only navigate to the details view of a dependent that resides in a resource they have permission to access.
Can’t see indirect inputs. | Can’t open the details view. |
See and edit existing scenarios | Can access and edit all published and non-published scenarios. | Can only access published scenarios.
If you grant edit or full access to a resource, the Manager can edit the Page in all published scenarios | Can only access published scenarios.
If you grant edit or full access to a resource, the Member can edit the Page in all published scenarios | Must be granted explicit access to scenarios for each resource shared with them.
Guests can’t perform any edits. |
Access the integrations section, delete, and set up new ones | Full access to integrations. | Can authenticate new integrations, but can’t see the output or queries. | Can authenticate new integrations, but can’t see the output or queries. | 🚫 |
Create a scenario | ✅ | ✅ - By performing edits to resource they have access to. | ✅ - By performing edits to resource they have access to. | 🚫 |
Move Last Close date | ✅ | ✅ | 🚫 | 🚫 |
Create a new resource: pages, models, and databases | ✅ | ✅ | 🚫 | 🚫 |
Modify resources hierarchy like moving a page to a different section in the left navigation | ✅ | 🚫 | 🚫 | 🚫 |
Review & merge scenarios into Main | ✅ | 🚫 | 🚫 | 🚫 |
Publish a scenario | ✅ | 🚫 | 🚫 | 🚫 |
See, edit, or reveal anonymized data | ✅ | 🚫 | 🚫 | 🚫 |
Edit the org-wide settings (general, billing, users, APIs, dimensions) | ✅ | 🚫 | 🚫 | 🚫 |
Resource access level
A user's access level can vary on a resource-by-resource basis. For instance, a single member might have view access to one database, edit access to some models, and full access to a particular page. The comparison below illustrates what a user can do with a specific resource, depending on their access level for that resource.
Many of the edits in the table below are scoped to a scenario that requires an admin's review and merge before they appear in your main scenario. You can find more information about Scenarios here.
Full access | Can edit | Can view | |
Editing formulas | ✅ | ✅ - In the formula editor, they can only reference other drivers or database objects that are in a resource they have access to. | 🚫 |
Adding, referencing, or deleting drivers to a block | ✅ | ✅ - When referencing an existing driver, they can only reference other drivers within resources they have access to. | 🚫 |
Adding or deleting a block on a page | ✅ | ✅ - When adding new drivers or database blocks they can only reference drivers or database rows that are in a resource they have access to. | 🚫 |
Editing actual values | ✅ | ✅ | 🚫 |
Editing forecast values | ✅ | ✅ | 🚫 |
Editing values in the detail pane | ✅ | ✅ - in the detail pane, can edit values that are in a resource they have access to. | 🚫 |
Change KPIs and formatting, such as colors, indenting and descriptions | ✅ | ✅ | 🚫 |
Customize a block: show/hide properties, change the rollup, date range, or comparison config. | ✅ | ✅ | 🚫 |
Can delete the resource | ✅ | ✅ | 🚫 |
Adding or deleting database objects to a block | ✅ | ✅ | 🚫 |
Add, remove, or change the access level of a user to resource | ✅ | 🚫 | 🚫 |
Provisioning users to your org
In Runway, there are two methods to add users to your organization: from the Settings menu or via the Share menu in a specific resource. We recommend using the Settings if you're adding admins, managers, or members. However, if you're adding guests, it's best to do so directly from the Share menu of the resources you want them to access.
Adding new users from Settings
The first method to add users to your Runway organization is through the Settings menu. Click on your avatar in the top-right corner, followed by clicking on Settings and then Users. In the provided text box, you can enter one or more email addresses, either space-separated or comma-separated. You also have the option to define their role. After entering the necessary details, click "Invite".
You can distinguish between users who have accessed Runway at least once since being added to your organization and those who have never visited Runway by looking at their avatar.
Adding new users via the Share menu in a specific resource
You can also add new users to Runway within a specific resource via the Share menu. Click the Share
button in the top right corner of a specific resource. The first tab, labeled "Share," will display a list of Guests, Members, and Managers who have access to that resource.
A text box is also available for adding users to this resource. Start typing their email. If the user is already part of your organization, their name will appear in the dropdown menu. If it's a new user, you'll be prompted to invite them. You can also paste a list of emails separated by spaces or commas.
Note that new users who are added for the first time through the share menu are assigned a Guest role. You can change their role in the Settings if necessary.
From this list, you can adjust a specific user's access level to the resource:
- For Guests — Choose between 'Can view' or 'No access'.
- For Members & Managers — Options include 'Can view', 'Can edit', 'Full access', or 'No access'.
- For Admins — They automatically have 'Full access' to all resources.
Navigate to the "Guest Settings" tab to define the scenarios that guests can view on this resource. By default, only the Main scenario is selected. Keep in mind, shared scenarios are determined on a per-resource basis and impacts all guests.
For easy mass guest addition, enable the "Guest invite link". Anyone with this link can access the resource. If a user has never been added to Runway before and they log in through that link, they will appear as a guest in your user list.
Admins impersonating other users
This feature is exclusively available to users with an Admin role. If an admin needs to view Runway from another user's perspective, they can impersonate that user. This is particularly helpful for testing permissions and access issues reported by team members. To do this, navigate to Settings > Users, then click on the impersonate icon next to the desired user. Note that Admins can’t impersonate other Admins.
FAQ
I added some users in Settings, but they don't show up when I type their email in the share menu of a specific resource. Why is that?
After adding new users, a hard refresh is required for the changes to be reflected throughout the product. We recognize that this can be confusing, and we're working on a solution.
I added some users, but they didn't receive an email notification from Runway. Is this expected?
Yes, it's expected. Currently, we don't send an email invite when you add users to Runway. We believe that as the model owner, you should control the timing and context of introducing your team and collaborators to Runway. You can directly share your organization's URL or the URL of a specific resource with them. Upon login, they'll have access to the pages they're permitted to view.
How do I modify the permissions of an existing user? Do I do this in settings or in the share menu of a certain resource?
To completely remove a user, go to the settings page. The settings page is also where you can change a user's role (e.g., guest, member, manager, admin). However, if you want to modify a user's access level (can view, can edit, full access) for a specific resource, make this change in the share menu of that resource.
Last updated on January 29, 2024