Overview
The Custom User Roles system is built around a flexible group-based architecture with automatic default role assignment. Every organization member is assigned to a role that determines their permissions across the platform, from basic feature access to specific integration scopes and AI model usage.
Default Role System
Automatic Role Creation and Assignment
When an organization is created, Gumloop automatically:- Creates a Default Role: Named “Default Group” with baseline permissions for all organization members
- Auto-assigns New Members: All users joining the organization are automatically added to the default role
- Provides Fallback Protection: Users removed from other roles automatically return to the default role
Key Properties of Default Permission Group
- Cannot be deleted: Default roles are protected to ensure all users always have baseline permissions
- Can be renamed: Organizations can customize the default role name to match their naming conventions
- Serves as fallback: Provides consistent baseline access when users are moved between roles
Managing User Roles
Accessing Role Management
Navigate to your organization’s role settings at: gumloop.com/settings/organization/roles-permissions
Creating Custom Groups
- Click “Create Group” from the main permissions page
- Provide a descriptive group name and description
- Configure permissions across four main categories:
- Members
- Features
- App Scopes
- Node Denylist
Group Management Actions
For each group, administrators can:- Rename: Update group names and descriptions
- Set as Default: Designate which group new members receive automatically
- Delete: Remove group (default roles cannot be deleted)
- View Member Count: See how many users are assigned to each group
Permission Categories
1. Members Management
Control which users belong to each role with advanced member management capabilities.
- Search Functionality: Find users by email with real-time search
- Add/Remove Members: Move users between roles with single-click actions
- Users can only belong to one group at a time
- Moving a user to a new group automatically removes them from their previous group
- Users cannot be removed from the default group without being assigned to another group
2. Features Restrictions
Control access to core Gumloop platform features with granular toggle controls.
Available Feature Restrictions:
| Feature | Description | Impact |
|---|---|---|
| Workspace Creation | Prevents users from creating new workspaces | Users can only join existing workspaces they’re invited to |
| Workspace Credential Adding | Blocks adding new credentials to workspaces | Users can only use personal credentials or existing workspace credentials |
| MCP Node Creation | Restricts creation of custom MCP nodes | Users cannot build custom MCP nodes |
| Public Sharing | Prevents sharing flows and interfaces publicly | Users can only share within the organization |
- Simple toggle switches for each restriction
- Real-time updates with immediate effect
- Clear descriptions help administrators understand the impact
3. App Scopes (OAuth Permission Control)
Manage which OAuth scopes users can access for third-party integrations with category-based control.
- Control permissions for each integration category (Google, Slack, Notion, etc.)
- Restrict specific OAuth scopes while allowing others
- Granular control over what data users can access in connected services
- Allow Google Sheets reading but block Google Drive writing
- Permit Slack message reading but restrict channel management
- Enable Salesforce data viewing while preventing record updates
- Select the integration category (e.g., “Google Apps”)
- Choose which scopes to allow or restrict
- Users see only permitted scopes during OAuth flows
4. Node Denylist
Block access to specific workflow nodes and integrations to prevent unauthorized actions.
- Category-based Restrictions: Block entire categories of nodes (e.g., all Salesforce nodes)
- Individual Node Control: Restrict specific nodes while allowing others in the same category
- Runtime Enforcement: Restrictions are enforced during workflow execution
- Block all data writing nodes while allowing reads
- Restrict access to sensitive integrations
- Prevent certain teams from using certain integrations
- Restricted nodes are hidden from the node library for affected users
- Existing workflows with restricted nodes will fail execution with clear error messages
- Restrictions apply to both manual workflow building and API-based automation
Business Rules and Enforcement
Single Group Membership
- Rule: Users can only belong to one group at a time
- Enforcement: Adding a user to a new group automatically removes them from their previous group
- Benefit: Prevents permission conflicts and simplifies access control
Runtime Permission Checks
- When Applied: All permissions are checked in real-time during platform usage
- Scope: Applies to UI interactions, workflow execution, and API calls
- Response: Blocked actions show clear error messages explaining the restriction
Admin-Only Management
- Access Control: Only organization administrators can manage user roles
User Experience Impact
For End Users
Restricted Features:- Hidden or disabled UI elements for blocked features
- Clear messaging when attempting restricted actions
Real-World Use Cases
Organizations use Custom User Roles to implement security and governance policies across different teams: Sales Team Access Control:- Grant sales teams access to Salesforce integrations for lead management
- Restrict other departments from accessing sensitive sales data
- Allow CRM data reading but prevent record deletion
- Enable IT teams to create workspaces and manage credentials
- Restrict regular users from adding new workspace credentials
- Allow operations teams to use advanced integrations while limiting marketing to basic tools
- Prevent certain teams from sharing workflows publicly
- Restrict access to financial integrations for non-finance users
Getting Started
- Access Role Management: Navigate to gumloop.com/settings/organization/roles-permissions
- Review Default Group: Examine the default role permissions and adjust as needed
- Create Specialized Groups: Build roles for different user groups in your organization
- Assign Users: Move users from the default role to appropriate specialized groups