Span uses a role-based access control system with both built-in and custom roles. Permissions are organized into scopes (global, team, people, self) and can be finely tuned to match your organizational structure.
Permission Scopes
Global: Organization-wide
Team: Scoped to specific teams
People: Scoped to specific individuals
Self: What users see about themselves
Initial Setup (For New Organizations)
Step 1: Determine who should be in the Owners and Admins Groups
Important: These permissions groups are managed by Span. As you're getting set up initially, please let your Span contact know who should be assigned to each of these groups. At least one person needs Owner or Admin role to manage permissions going forward.
Owners have full organizational control β including managing cost estimates and permissions.
βAdmins have broad visibility and configuration rights, but cannot access or modify cost or permission group configuration.
Role | What they Can do | Key Limitation |
Owner | Can manage everything in Span, including permissions and salary data | None |
Admin | Can manage all core functions: integrations, metrics, teams, surveys, and reporting | Cannot manage cost/salary data or permission groups |
Step 2: Review Default Roles
Navigate to: Organization Settings > Global > Permission Groups
The Managers, Team Leads, and Team Members roles come pre-configured
Review their permissions to ensure they match your needs
Most organizations can use these as-is
If someone has direct report relationships in your roster, they will automatically be assigned the Manager permission group.
Step 3: Configure Auto-Assignment
Managers role: Automatically syncs (no action needed)
Team Members role: Automatically includes all active members (no action needed)
Team Leads: You'll need to manually assign or create custom filters
Creating Custom Roles
When to create custom roles:
Need specialized access patterns (e.g., "Support Team Admin", "Incident Reviewers")
Want team-specific permissions without global access
Need to delegate specific admin functions (e.g., survey creation only)
How to set up Custom Roles:
Navigate to Permissions
Go to: Settings β Permissions β Permission Groups
Click "Create New Role" button
Setup Tab - Basic Configuration
For Manual: Select individuals to add
For Matching: Configure filters (e.g., "PersonIsManager")
Global Permissions Tab - Organization-Wide Access
Select relevant permissions:
Benchmarking: View benchmark data
IndustryBenchmarking: View industry comparisons
ManageIntegrations: Configure GitHub, Jira, etc.
ManageAuditLog: View audit logs
ManageDynamicReports: Create/edit reports
MemberManagement: Add/remove org members
SurveysAdmin: Create and manage surveys
ManageInvestment: Track investment/allocation
PermissionGroupsManage: Manage roles (admin only)
Team Permissions Tab - Team-Scoped Access
Configure which team data this role can see:
Which teams?
All teams
Affiliated teams only (user's team + managed teams)
Specific teams (select from list)
What can they see?
Activity Summaries
Investment
Project Tracking
Pull Requests
Review Themes
Time
Working Norms
Slack Digests
Working Norms
People Permissions Tab - Individual-Level Access
Configure which individual data this role can see:
Which people?
All people
Affiliated people only (team members)
Self only
What can they see?
Details
Activity
Activity Summaries
Investment
Project Tracking
Pull Requests
Review Themes
Time
Onboarding
Self Permissions Tab - Personal Data Access
What can users see about themselves:
Same options as People Permissions
These apply to the role member viewing their own data
Review Tab - Final Review
Review all configured permissions
Click "Save" to create the role