- Blueprint has four roles -- Owner, Manager, Analyst, and Viewer -- enforced at the API layer with workspace-scoped permissions.
- Only the Owner can change roles or remove team members. Managers can invite Analysts and Viewers but not other Managers or Owners.
- Viewer is a free role designed for client access -- read-only dashboards with no per-seat cost.
- Each workspace supports up to 5 active + pending members. RBAC is enforced server-side; the UI hides actions, but the API rejects unauthorized requests with 403.
The Four Roles Explained
Blueprint's role-based access control (RBAC) system uses four hierarchical roles, each designed for a specific type of user within a PPC team or agency. The Owner role has full control over the workspace. Owners can invite any role, remove any member, change anyone's role, manage ad platform connections, configure billing, and access every feature in the platform. Each workspace has exactly one Owner, typically the person who created the workspace. The Owner is the only role that can promote someone to Manager or reassign roles after they have been set.
The Manager role is designed for senior team members who need to run day-to-day operations without full administrative control. Managers can invite new members, but only at the Analyst or Viewer level -- they cannot invite other Managers or Owners. This restriction prevents privilege escalation and ensures the Owner retains control over who has elevated access. Managers can manage ad platform connections, set budget targets, manage keywords and negative keyword lists, configure alerts, and access all reporting features. In an agency context, Managers are typically account directors or senior PPC strategists.
The Analyst role provides read access to all data in the workspace along with the ability to initiate certain write operations like managing keywords and budget notes. Analysts can view dashboards, run reports, see Quality Score trends, analyze search terms, and review the audit log. They are the hands-on PPC managers who work with the data daily but do not need to manage team membership or platform connections. The Viewer role is the most restricted -- and most strategically important -- role. Viewers have read-only access to reports and dashboards. They cannot see keyword-level data, budget targets, team settings, or any configuration. Crucially, the Viewer role is free and does not count toward your paid seat limit. This makes it the ideal role for giving clients visibility into their campaign performance without adding cost to your plan.
Complete Permissions Matrix
The following table shows exactly what each role can do across Blueprint's permission categories. Understanding this matrix helps you assign the right role to each team member from the start, avoiding the need for frequent role changes later.
| Permission | Owner | Manager | Analyst | Viewer |
|---|---|---|---|---|
| invite:team | All roles | Analyst, Viewer | -- | -- |
| manage:team (change roles, remove) | Yes | -- | -- | -- |
| manage:connections | Yes | Yes | -- | -- |
| read:keywords | Yes | Yes | Yes | -- |
| write:keywords | Yes | Yes | Yes | -- |
| read:budgets | Yes | Yes | Yes | -- |
| write:budgets | Yes | Yes | -- | -- |
| read:reports | Yes | Yes | Yes | Yes |
| write:reports | Yes | Yes | Yes | -- |
| manage:billing | Yes | -- | -- | -- |
Notice that Viewers can only read reports. They cannot see keyword data, budget targets, or team settings. This makes the Viewer role safe to assign to external stakeholders like clients or executives who should see performance results without gaining access to strategic details like negative keyword lists or budget allocation decisions. Analysts can read and write keywords and reports but cannot set budget targets -- that responsibility stays with Managers and Owners who are accountable for spend.
RBAC Enforcement Architecture
Blueprint enforces RBAC at the API layer, not just in the UI. Every protected API route passes through the requireAuth() middleware, which verifies the user's identity, and then through requireWorkspaceAccess(), which checks the user's role within the specific workspace they are accessing. If a user does not have the required permission for a given action, the API returns a 403 Forbidden response regardless of what the UI might have shown. This server-side enforcement means that even if someone manipulates the client-side code to show a hidden button, the underlying action will still be rejected.
The UI complements server-side enforcement by hiding actions that the current user cannot perform. If you are logged in as a Viewer, you will not see the "Invite Team Member" button, the "Set Budget Target" form, or the keyword management controls. This is purely a usability optimization -- removing visual clutter for users who cannot act on those controls. The actual security boundary is always at the API layer. This dual-enforcement approach follows the defense-in-depth principle: the UI prevents accidental clicks, and the API prevents intentional circumvention.
All RBAC checks are workspace-scoped. A user might be an Owner in one workspace and a Viewer in another. Permissions do not carry across workspaces, which is essential for agencies that manage separate workspaces for different clients. When Blueprint evaluates a permission check, it looks at the user's role within the specific workspace being accessed, not their role in any other workspace they might belong to.
Role Strategy for Agencies
For PPC agencies, the recommended role structure starts with the agency principal or account owner as the Owner. This person controls billing, can manage all team assignments, and has ultimate authority over the workspace. Senior account directors or team leads should be assigned the Manager role, giving them the ability to invite team members, manage connections, and set budget targets without needing the Owner to be involved in every operational decision.
Day-to-day PPC managers -- the people who are in the accounts daily, analyzing search terms, reviewing Quality Scores, and managing keyword lists -- should be assigned the Analyst role. Analysts have read access to everything they need for their work and can write to keywords and reports. They cannot change budget targets or invite new team members, which keeps those responsibilities with the people who should be making those decisions. For client stakeholders who want to see how their campaigns are performing, assign the Viewer role. Viewers get a real-time read-only dashboard without any cost to your plan, which makes it easy to give every client transparent access.
If you manage multiple clients, create a separate workspace for each client. This ensures that each client's Viewer access is scoped to only their data -- they cannot see other clients' campaigns, budgets, or performance metrics. Your internal team members can be assigned roles across multiple workspaces, with the same or different roles in each one.
Role Strategy for In-House Teams
In-house marketing teams have a simpler structure since there are no external clients to manage. The marketing director or VP of Marketing should be the Owner, controlling the workspace configuration, billing, and team membership. The PPC lead or digital marketing manager takes the Manager role, handling day-to-day operations like setting budget targets, managing connections, and inviting new team members as the team grows.
PPC specialists and campaign managers should be Analysts. They need to see all the data, analyze search terms, track Quality Scores, and manage keyword lists, but they do not need to change budget targets or team settings. For stakeholders who want visibility -- executives, finance teams, product managers who want to understand acquisition costs -- the Viewer role provides exactly the right level of access. They can see the dashboards and reports without being able to modify anything, and since Viewer seats are free, adding them has no cost impact.
In-house teams often have a flatter hierarchy than agencies, which means fewer Managers and more Analysts. A common pattern is one Owner, one Manager, and several Analysts, with Viewers added for anyone outside the immediate marketing team who wants to follow campaign performance. This keeps the team streamlined while ensuring the right people have the right level of control.
Common Patterns and Pitfalls
The most common mistake teams make is assigning everyone the Manager role. This feels convenient at first but creates two problems. First, any Manager can invite Analysts and Viewers, which can quickly fill up your team limit. Each workspace supports up to 5 active and pending members combined, so uncoordinated invitations can exhaust this limit faster than expected. Second, having multiple Managers means multiple people can change budget targets and connection settings, which can lead to conflicting configurations if communication is not airtight.
Another common pitfall is the Manager-cannot-invite-Manager restriction. This is intentional -- it prevents privilege escalation -- but it catches teams off guard when a Manager tries to bring on a new senior team member. Only the Owner can invite someone as a Manager or promote an existing Analyst to Manager. If your Owner is unavailable and you need to add a Manager, you will need to wait for the Owner to take action. Plan your role assignments proactively to avoid this bottleneck.
The team limit of 5 active and pending members includes pending invitations that have not yet been accepted. If you have invited three people and they have not responded yet, those three pending slots count against your limit. If you need to free up space, you can cancel pending invitations that have gone stale. Invitations expire after 24 hours, at which point the pending slot is released automatically. Only the Owner can change an existing member's role after it has been set, so get role assignments right during the invitation process to minimize the need for changes later.
- Four roles -- Owner, Manager, Analyst, Viewer -- cover every team structure from solo freelancer to multi-client agency.
- RBAC is enforced server-side at every API endpoint. The UI hides actions, but the API rejects unauthorized requests with 403.
- Viewer seats are free -- use them generously for client access without impacting your plan cost.
- Managers can invite Analysts and Viewers only -- not Managers or Owners. This prevents privilege escalation.
- Team limit of 5 active + pending members per workspace. Pending invitations expire after 24 hours.