Permissions

Roles that fit how your team actually works.

Three built-in roles aren't enough for a real organization. AnchorMark lets you define custom user groups, pick capabilities from a published catalog, and apply them per project so access matches responsibility.

See pricing

Problem

Why this hurts today

QA leads need approval rights without admin power. Contractors need to triage but not change billing. Hard-coded admin/member/reviewer roles force you to over-grant access to anyone who needs to do real work — which is exactly the kind of permission sprawl your security team flags in every review.

Solution

What AnchorMark does

Custom user groups assemble exactly the capabilities a team needs from the permissions catalog. Group membership flows into project shares and SCIM provisioning so identity stays the source of truth. Every assignment is recorded in the audit log, and per-project group scopes mean the same person can be an approver on one project and a read-only reviewer on another.

Capabilities

What you get when you turn this on.

Permission catalog

A documented set of capabilities — read, comment, triage, resolve, approve, manage settings, billing, integrations, and more.

Custom groups

Define groups like 'Release captains' or 'Client reviewers' with the exact capabilities they need.

Project-scoped roles

Apply groups per project so the same person can be an approver on one and a reviewer on another.

Immutable audit log

Every membership change and capability assignment lands in the workspace audit log.

SCIM-driven membership

Map IdP groups to AnchorMark groups so identity provisioning controls access automatically.

Capability discovery

A searchable catalog with descriptions and examples so admins don't have to guess what each capability does.

Frequently asked questions

Can SCIM groups map to AnchorMark groups?

Yes — on Enterprise, SCIM group membership drives AnchorMark group assignment automatically. Add someone to a group in Okta or Azure AD and they pick up the matching AnchorMark capabilities within seconds. See SSO & SCIM for the supported IdPs.

Are there per-plan limits on custom groups?

Team and Agency plans include unlimited custom groups; Starter is limited to the built-in roles. Compare plans for the full breakdown.

What capabilities can I assign?

Read, comment, triage, resolve, approve, manage projects, manage integrations, manage members, manage billing, and a handful of other granular capabilities. The catalog is published in-product with descriptions for each one.

Can a person belong to multiple groups?

Yes. Capabilities are unioned across all groups a user belongs to, so a person who is in 'Release captains' and 'Client reviewers' gets the combined set.

How is this different from a normal admin/member/reviewer split?

Three fixed roles always over-grant or under-grant for someone. Custom groups let you give a QA lead the 'approve releases' capability without billing access, or hand a contractor 'triage' without 'manage members'. AnchorMark records every assignment for audit.

How do I prove to an auditor who had access to what?

The audit log records every group membership change and capability assignment with the actor, timestamp, and target. Logs are immutable and exportable for SIEM ingestion.

Keep exploring

Project sharing & invitations

Share projects internally with users or groups, externally with partner organizations, or publicly with magic-link guests — without giving anyone more access than they need.

SSO & SCIM

Enterprise sign-on with SAML and OIDC, plus SCIM provisioning to keep teams in lockstep with your identity provider.

Security & compliance

Tenant-first architecture, encrypted storage, and audit logs built for modern web teams.

Ship faster with feedback that already has the receipts.

Start a 14-day trial of the Team plan — no credit card required.

Compare plans