Roles & permissions
Wisteria has five roles. Every user is assigned exactly one. The role determines which parts of the admin console they see and what actions they can take.
| Role | Sees admin console? | Can author content? | Can approve? | Can manage workspace? |
|---|---|---|---|---|
super_admin | Yes — all of it | Yes (any course) | Yes | Yes |
content_manager | Yes — approvals + read-only review | No | Yes | No |
trainer | Yes — own department only | Yes (own department) | No | No |
auditor | Yes — read-only | No | No | No |
learner | No — uses the learner app | No | No | No |
Authoring is exact-role — only trainers can create courses. A super_admin who wants to author content has to do it themselves under a separate trainer account, or use the super_admin override (rarely needed).
What each role does day-to-day
super_admin
The workspace owner. Configures the company profile, departments, notifications, certificate template, AI Training Profile baseline, approval workflows, and integrations. Reviews the audit log. Adds and removes users.
There must always be at least one active super_admin per workspace; Wisteria prevents the last one from being deleted or deactivated.
content_manager
The default approver. Reviews courses submitted by trainers, approves or rejects each module, sends queries back to trainers. Doesn’t write content themselves — they’re a quality gate, not an author.
In small organisations the super_admin often plays both roles. In larger ones the split matters: trainers write, content managers review, super_admin governs.
trainer
The author. Writes courses, runs the AI scanner manually, edits flashcards and quizzes, submits courses for approval, publishes approved courses to their department.
A trainer can only see and edit courses in their own department. Their Users view is scoped to learners in their department too — they can’t browse the entire workspace’s people.
auditor
The compliance observer. Sees the entire admin console as read-only — every course, every approval, every audit log entry — but can’t change anything. Useful for compliance officers, internal auditors, or external consultants who need visibility without write access.
learner
Everyone else. Doesn’t see the admin console at all. Signs in to the learner app at /dashboard, takes assigned courses, completes quizzes, earns certificates.
How a learner is different from being unassigned
If a learner has no department assigned, they sign in but see an empty dashboard — no courses are auto-delivered to them. Assigning a department is what makes them part of training delivery.
Changing a role
Super admins change roles at Users → click a user → Edit role. Every role change is recorded in the audit log with the previous and new role values.
A few constraints:
- You can’t change your own role (defence against accidental lockout).
- You can’t demote the last active super_admin (same reason).
- Changing role to or from
learnermay also change what app the user lands on after sign-in.
The four-role admin model is the product opinion
Wisteria’s permission model is deliberate. We separate authoring, reviewing, and governance because every L&D customer we’ve worked with eventually wants those layers — and bolting them on after the fact is harder than starting with them.
If your organisation is small enough that one person plays all three roles, just give that person super_admin. Don’t shoehorn them into trainer or content_manager — those roles exist to enforce limits, not unlock features.