Skip to main content
Enterprise plans unlock a shared team workspace: multiple seats, role-based access control, an audit log, brand-managed games, and team-scoped API keys.

Roles (RBAC)

RoLearn uses four roles, each with a fixed permission set:
RoleCan do
OwnerEverything, including ownership transfer and billing.
AdminManage members, workspace settings, brand games and keys.
EditorCreate and edit team content; no member management.
ViewerRead-only access to team data and audit log.
(The legacy member role maps to viewer.) Permissions are checked per action; unknown permissions are denied by default.

Inviting members

  1. An owner or admin sends an invite by email.
  2. The invitee accepts at /team/accept — this works even before their own plan flips to Enterprise, so they can join first.
  3. Seat counts are enforced on the team (row-locked to prevent seat overflow or duplicate-team races).

Team API keys

Enterprise teams can mint team-scoped API keys with specific scopes:
  • read — the public read API.
  • ingest:telemetry — Brand Workspace experience telemetry.
  • sdk:ingest — Multiplatform SDK ingest.
Keys are SHA-256 hashed; the raw key (rk_live_…) is shown exactly once at creation. Per-experience keys can also be minted from Brand Settings.

Audit log

Every privileged team action (member changes, settings, key creation, ownership transfer) is written to an append-only audit log, readable by owner/admin/viewer.
When an Enterprise owner downgrades, the team’s subscription is marked cancelled and Enterprise-gated surfaces stop resolving — by design.