Advanced permissions and access control

How to securely manage external users and teams in your workspace.


Hailer has powerful features to securely manage external and internal users in Workspaces. Groups, Custom roles, restricted Team visibility and Smart activity owner selector all come in handy, especially when managing e.g. a network of resellers or subcontractors.The groups allow grouping teams, while custom roles bring more granularity to our permissions.

Groups, Custom roles, and restricted Team visibility features require an enterprise license. Please get in touch with Hailer Sales for more information:



Team visibility
By restricting team visibilty, only users part of the same teams can see each other in the workspace.

team visibility

This setting does not affect workspace administrators or owners. If users from separate teams are added to e.g. the same discussion they will still see each others profile, like name and picture.

When the team visibility is restricted, it is possible to set certain teams as public. This means they are visible to everyone in the workspace, even though not part of the same team as the user viewing them. Members of public teams can always see all members of a workspace.

public team

Team and group setup
This is an example of a simple team and group structure in a workspace. The names marked with an asterisk are regular teams, while the names without an asterisk are groups.

reseller group setup

All the reseller teams are part of the Resellers group. The persons administrating the reseller network are placed in a public team called Reseller network administrators, which makes them visible to the resellers although not being in the same team. Also, the administrators can view all members of the workspace, always.

In this example, resellers should not see the users of other resellers. As there is no common team in place that the users of different resellers are part of, this is true. The users however have a team in common if they are the same reseller, and can therefore see each other. The team called Reseller network administrators is set as public, which means everyone in the workspace will see them and be able to contact them although e.g. a adminstrator is not part of the same team as the reseller.


The groups differ from teams in the following way:

  • They can’t be the owner team of activities

  • They can’t be added to discussions

  • Group members can’t see each other if not part of the same team, if “Users can only view users in their teams” is enabled

  • Groups, teams and users can all be part of a group, while a team can not be part of a team

It is possible to set the visibility of a feed post to a group if feed admin, as well set setting the permissions for a workflow/dataset to a certain group. Users will only be part of different groups while the resellers are part of both teams and groups, with the teams representing the reseller.

Custom roles
The custom roles allow creating roles in a workspace to have more granularity in the user permissions. The custom role is based on the user role, but can be changed with the options listed below:

custom roles

In the example setup, there are two separate roles: Reseller and Administrator. The reseller has the permissions set visible in the picture above. They can load the feed, but not like or comment on feed posts. They can’t create new feed posts. Also, they can only start private discussion with users part of public teams, which are the reseller network administrators in this case. The adminstrators manage the feed and can start private discussions with anyone.

Smart activity owner team selector
This feature is a small add-on that works well when there are multiple teams in a workspace grouped, allowing the person adding activities to a workflow or dataset to select between the options that simply make sense. This is especially important when resellers and administrators add activities to various places. It allows the administrators to choose from any team that has access to the workflow, while it only allows the reseller to select their own team (this is done automatically in the background), removing any possibility of selecting the wrong visibility for an activity.