The permissions model

The ExcelWraps permissions model makes it easy to collaborate within and between organizational units, hiding irrelevant information while preserving the integrity and security of sensitive information.

This page serves as an overview of the various components of the permissions model and allows you to zoom in on the details that interest you.

Illustration of various roles like Manager, Supervisor, Electrical operative, Mechanical operative etc


Users have roles. Roles work like keys that open vital elements of the Wrapsite only to the right people. Roles are the most important part of the ExcelWraps permissions model.

  • Roles can protect the integrity of the wrapsite. If an electrical connection is to be inspected and signed off as working properly, you may want to restrict this signature to the people that are responsible for electricity and have the corresponding competence.
  • Roles can give different users access to different parts of the ExcelWraps site and block irrelevant content. Roles that control visibility keep the site compact and easy to navigate for everyone.

You need one Role for each separate set of permissions. Some of the typical user roles are shop floor operatives, mechanical workers, electrical workers, supervisors, managers, clients, and suppliers. A user can have any number of roles, e.g. you may be both a shop floor worker and an electrical worker. There is a list of predefined user roles in the bottom sections of this page, and descriptions of other optional roles that you may create for your Wrapsite.

Screenshot of a user definition where roles have been ticked off in a list

You can also dynamically assign Roles from a Competence Wrap using the UserRole function.

Roles and permissions

Each role has a set of permissions assigned to it that enables you to View, Create, Edit, and/or Delete content in the Wrapsite. If all your roles together don’t give you particular permission, you cannot perform the corresponding action. Your total set of permissions consists of all granted permissions for all roles that you have.  You will be denied access to everything else.

Static content like web pages and blog posts on the Wrapsite have access controls that permit only particular user roles to manage the corresponding content. Read more about Wrapsite administration.

In the Content Management System (CMS), when the “Enable content item access control” checkbox is ticked, content owners are required to have both “All” and “Own” permissions to manage their content effectively.

Wrapgroups and Workgroups

Most of your work related to permissions and access control will be about protecting the data that is stored in the instances of the Wraps. The ExcelWraps permissions model uses Wrapgroups to grant permission to users in Workgroups to access Wraps and their instances according to each user’s Roles.

You define your Wrapgroups on your Wrapsite’s Administration > ExcelWraps > Wrap Groups page.

When you upload a Wrap the first time, it is made available only in the Default wrapgroup. If you have defined additional Wrapgroups, you can select the Wrapgroups that you want the Wrap included in.

Before you define additional Wrapgroups and Workgroups, the permissions for the Default Wrapgroup and the None Workgroup apply to all users. Below is an example of these permissions. These are the minimum permission settings that must be managed for any Wrapsite.

Screenshot of the Role permissions for a Wrapgroup

You can assign different permissions for each defined Role to View, Edit, Create, or Delete Wrap instances in the Wrapgroup.

You can have separate permissions for each user’s own instances, i.e. “created by me”.



The outermost scope for controlling permissions within ExcelWraps is the Wrapsite. From a web hosting perspective, we sometimes refer to this as the “Tenant”. A Wrapsite typically manages work within an independent division of a company.

User accounts are maintained separately per Wrapsite. There is no facility for users in one Wrapsite being granted access to resources in another.

Apart from being your primary vehicle to access Wraps and their instances, the Wrapsite is just like any other website. It has built-in features to create static web pages or add posts to a live blog that permits users to add comments. There is a media library and you can use menus for navigation within the website.

Learn how to change the Wrapsite settings on the Wrapsite administration help page.


Users are created per Wrapsite. A user is uniquely identified by their username (required) or their e-mail address (optional), both of which must be unique within the Wrapsite. A User has Roles and may belong to a Workgroup.

Learn how to change the User settings on the User administration help page.


Roles are used to control permissions on resources. Access to instances of a Wrap is granted by assigning View, Edit, Create or Delete permissions to individual Roles.

If a Role grants permission to a resource, then any User that has been assigned the role can access the resource as long as there are no other constraints for the user’s Workgroup.

Learn how to change the Roles settings on the User administration help page. You can also dynamically assign Roles from a Competence Wrap using the UserRole function.


Workgroups are used to subdivide Wrapsites into smaller groups. Use of them is not required, in which case only Role-based permissions are in play.

Workgroup A can trust Workgroup B. In this case, users in Workgroup B behave as if they are in Workgroup A, and can access resources according to their Roles.

Users within Workgroups can also access resources that do not belong to any Workgroup, in which case only Role permissions apply.

Learn how to change the Workgroup settings on the User administration help page.


Wrapgroups are used to group related Wraps so their access can be configured collectively. Access to instances of a Wrap is granted by assigning View, Edit, Create or Delete permissions to individual Roles. These can be assigned for both instances created by – and therefore owned by – a user, or for all users.

Additionally, a Wrapgroup can belong to a Workgroup. In this case, only users within this Workgroup – or a workgroup they trust – can access the Wrap instances in the Wrapgroup.

Learn how to change the Wrapgroup settings on the Wrap administration help page.

Learn more about the permissions model on the Wrapgroups and Workgroups help page.

Standard roles

Site-wide roles

Some administrative roles are related to the website itself.

Site admin roles

Some operations on the wrapsite may be limited to special users with unrestricted access to all content. The predefined roles we use for this are

  • Administrator
  • Tenant Admin

User state roles

It is likely that you want to provide minimal access to the wrapsite until the user has been identified. We use these roles for this:

  • Anonymous – An unidentified user that has not logged in.
  • Authenticated – A user that has logged in and been assigned User role permissions.

Content creation roles

These roles control the creation of new content on the wrapsite.

  • Editor – Can author, publish and edit his/her own and other people’s content items.
  • Author – Can author, publish and edit his/her own content items.
  • Contributor – Can author and edit his/her own content items, but not publish them (save draft only).
  • Moderator – Can moderate comments and tags only, without authoring permissions.
  • Owner – a special Wrap role dynamically allocated to the user that created the Wrap instance

Optional roles

When working with Wraps, users may be given different permissions depending on your organizational requirements.

Hierarchical roles

If users inherit certain permissions from their organizational role, you may define roles for each level of permission. You may choose any name for these roles but we recommend that they always begin with “H-” for clarity, e.g.

  • H-Executive
  • H-Manager
  • H-Supervisor
  • H-Staff

Competence roles

If users have different access levels depending on their competences, you may define roles that match these competencies. You may choose any name for these roles but we recommend that they always begin with “C-” for clarity, e.g.

  • C-Welder
  • C-GearboxSpecialist
  • C-BearingSpecialist
  • C-MotorSpecialist
  • C-Inspector

Team roles

Some access control may be more related to a person’s function within the group. You may choose any name for these roles but we recommend that they always begin with “T-” for clarity, e.g.

  • T-Client
  • T-Production
  • T-Purchasing

Learn more

To learn more about the permissions model, continue to the help page about Wrapgroups and Workgroups.