PressPlay's permission system ensures that team members have the access they need to do their work effectively while protecting sensitive data and critical configurations. Understanding roles and permissions helps you assign appropriate access levels and maintain security across your organization.
PressPlay uses a role-based access control (RBAC) system with three main permission levels:
Read: View-only access to organization resources
Write: Create and modify experiments, assets, and configurations
Admin: Full control including team management and organization settings
These roles are applied at the organization level, meaning a user's permissions apply to all publishers, apps, and experiments within that organization. A user might have different roles in different organizations—for example, admin in one organization and read-only in another.
Users with read permission can view all data within the organization but cannot make changes. This role is ideal for stakeholders, analysts, and team members who need visibility without the ability to modify configurations.
View experiments: See all experiments, their configurations, and status
Access reports: Review experiment results, statistics, and performance metrics
Browse apps and publishers: See what apps are connected and their configurations
Review assets: View generated screenshots, descriptions, and other creative assets
Check backlog items: See what experiments are planned but not yet launched
View competitor analysis: Access insights about competitor apps
See team members: Know who else has access to the organization
Access locales and CSLs: View configured markets and country-specific listings
Create, modify, or delete experiments
Generate new assets or change existing ones
Change app configurations or settings
Connect or disconnect publishers
Add or remove team members
Modify organization settings
Trigger synchronization or publishing operations
Update backlog item status
Assign read permission to:
Executives and stakeholders who need visibility into experiments and results but won't manage day-to-day operations
Finance and operations teams who monitor spending or resource usage
External clients who want to see what you're doing on their behalf without ability to change configurations
New team members during onboarding before they're ready for full access
Contractors who need to review work but not modify it
Audit and compliance roles who need to verify activities without changing them
Read permission provides the transparency stakeholders need while preventing accidental or unauthorized changes.
Users with write permission can perform most operational tasks within the organization. This role is appropriate for ASO managers, growth marketers, and anyone actively managing experiments.
In addition to everything read users can do, write users can:
Create experiments: Set up new AB tests for titles, descriptions, screenshots, and other assets
Modify experiments: Update experiment configurations, priorities, and settings
Delete experiments: Remove experiments that are no longer needed
Generate assets: Use AI-powered tools to create new screenshots, descriptions, and creative content
Update asset status: Mark assets as approved, rejected, or in review
Manage backlog: Update the status of planned experiments
Configure experiment settings: Adjust experiment parameters and preferences
Trigger synchronization: Force sync of apps and publishers to get latest data
Update app configurations: Change app-level settings and preferences
Manage CSL locale status: Enable or disable specific markets and country listings
Connect Slack integrations: Set up notifications and collaboration tools
Add or remove team members
Change user roles and permissions
Connect or disconnect publishers (organization-level connections)
Activate or deactivate the organization
Access organization-level administration features
Perform system-wide operations
Assign write permission to:
ASO managers who run experiments and optimize store listings
Growth marketers actively testing and iterating
Product managers managing app store presentation
Creative teams generating and managing assets
Experienced team members who've completed onboarding
Write permission gives users the tools they need to do their jobs without the risks associated with organization-level administration.
Users with admin permission have complete control over the organization, including team management and critical configurations. This role should be limited to trusted individuals with responsibility for the organization's overall management.
In addition to everything write users can do, admin users can:
Add team members: Invite new users to the organization
Remove team members: Revoke access for users who no longer need it
Change user roles: Upgrade or downgrade permissions for team members
Connect publishers: Link Google Play Console accounts to the organization
Disconnect publishers: Remove publisher connections
Activate organization: Enable an organization that was deactivated
Deactivate organization: Temporarily disable access to the organization
Modify organization settings: Change organization-level configurations
Access all apps and publishers: View and manage everything in the organization
Configure integrations: Set up organization-wide tool connections
Assign admin permission to:
Organization owners: The person or people ultimately responsible
Team leads: Managers who oversee the ASO program
Technical administrators: Those who manage integrations and configurations
Trusted senior team members: Experienced individuals who need full access
Every organization should have at least two administrators to prevent lockout situations, but limit admin access to prevent security risks and accidental misconfiguration.
Understanding how permissions apply helps you plan access appropriately:
Roles are assigned at the organization level. A user's permission applies to everything within that organization:
All publishers connected to the organization
All apps across those publishers
All experiments, assets, and reports
All settings and configurations
There's no way to grant access to only one app or publisher within an organization. If you need that level of granularity, consider creating separate organizations for different apps or publishers.
A user can be a member of multiple organizations with different roles in each:
Admin in Organization A
Write in Organization B
Read in Organization C
When the user switches organizations, their available actions change based on their role in the currently selected organization.
PressPlay uses JWT (JSON Web Token) authentication with scope-based authorization:
Authentication verifies who you are (your user account)
Authorization determines what you can do (your role and permissions)
Every API request includes scope information that tells the system what permissions the user has, ensuring they can only perform authorized actions.
Different team structures benefit from different permission patterns:
For teams of 2-5 people:
1-2 admins (founders or leads)
Remaining members as write users
Read access for any external stakeholders
This keeps management simple while protecting critical functions.
For agencies managing client accounts:
Agency team members: Admin or write depending on role
Client stakeholders: Read-only access
Separate organizations for each client
This gives clients visibility while maintaining agency control over execution.
For large companies with multiple products:
Product-specific admins for each organization
ASO team members with write across relevant orgs
Executives with read across all orgs
Finance/compliance with read-only admin access
This balances autonomy with oversight and compliance needs.
For teams using external help:
Internal team: Admin and write
Contractors: Write or read depending on role
Time-limited access with regular review
This brings in external expertise while controlling access duration.
User roles can be updated as needs change:
Consider upgrading a user's role when:
They've completed onboarding and proven competent
Their responsibilities expand
They take on a leadership role
You need backup administrators
Consider downgrading a user's role when:
Their responsibilities decrease
They move to a different role
Security concerns arise
They're transitioning out of the team (downgrade before removal)
Administrators can change user roles through the organization's user management interface. Changes take effect immediately—users may need to refresh their session to see the new permissions reflected in the interface.
Follow these guidelines to maintain secure access control:
Give users the minimum permissions they need to do their jobs effectively. Don't grant admin access just because someone asks—ensure they actually need those capabilities.
Periodically review all team members and their permissions:
Do they still need access?
Is their permission level still appropriate?
Have their responsibilities changed?
Conduct these reviews quarterly or whenever there are significant team changes.
If you need to give some team members access to only certain apps:
Create separate organizations for different app portfolios
Add users only to organizations they need
Accept the overhead of multiple organizations for improved access control
Maintain clear documentation about:
Who has what role and why
When permissions were granted or changed
What responsibilities go with each role
Who approved access changes
Always maintain at least two administrators to prevent lockout situations. If your sole administrator leaves suddenly, you could lose access to critical functions.
PressPlay maintains audit trails of user actions. While all users' actions are logged, pay special attention to admin actions that could significantly impact the organization.
If someone reports they can't do something they should be able to:
Verify their assigned role in user management
Confirm they're in the correct organization
Check that the organization is active
Have them log out and back in to refresh their session
Ensure the action is actually allowed for their role
If someone has access they shouldn't:
Check their assigned role—it may be higher than intended
Verify they weren't accidentally added to the wrong organization
Review recent permission changes in audit logs
Downgrade or remove their access as appropriate
If all administrators lost access somehow:
Contact PressPlay support—they can help restore access
In the future, always maintain multiple administrators
When planning permissions for your team, consider:
What does this person need to do? List their specific responsibilities
What's the minimum role needed? Start with read, upgrade only if necessary
Who else has similar responsibilities? Maintain consistency across the team
Are they permanent or temporary? Plan for access removal timing
Do they need training? Ensure they understand their permissions
Thoughtful permission management protects your organization while empowering your team to work effectively. Assign roles carefully, review regularly, and adjust as needs evolve. The goal is appropriate access for everyone—not too much, not too little, but just right for their role in your app store optimization efforts.
