InsightBase is workspace-first. Every product table is either canonical (visible to everyone authenticated) or workspace-scoped (RLS-isolated by workspace_id). Your role determines what you can do inside a workspace; platform admin is a separate flag for cross-tenant operations.
Workspace types
- Business — a single company. One product surface (
/business), one set of segments, one watchlist. - Advisor — for accountancy practices and consultancies. Manages multiple client businesses through the advisor surface (
/advisor) with a topbar business switcher.
Roles, in order
| Role | Read | Write | Manage | Admin |
|---|---|---|---|---|
| Viewer | ✓ | |||
| Operator | ✓ | ✓ (search, export) | ||
| Analyst | ✓ | ✓ (segments, enrichment) | ||
| Manager | ✓ | ✓ | ✓ (sequences, watchlist) | |
| Admin | ✓ | ✓ | ✓ | ✓ (invites, features) |
| Owner | ✓ | ✓ | ✓ | ✓ (everything, transfer-only) |
Owner role
There is exactly one owner per workspace. The owner cannot be removed via the role-change UI — ownership can only be transferredto another admin in the same workspace. This avoids the “we deleted the owner and nobody can administer the workspace anymore” failure mode.
Lifecycle states
A workspace moves through these states over its lifetime:
provisioning— being createdconfiguring— provisioned but the owner hasn't completed setupactive_beta— operational, behind the beta flagactive— operational, generally availablesuspended— paused (billing, abuse, owner request)archived— read-only, history preserved
Inviting people
Invites go through the notification engine — recipient receives an email + in-app prompt to accept. On accept they get a workspace membership at the role you specified. Invite acceptance creates the user record if they don't exist yet.
Names are stored as first_name + last_namealways — there's no combined display field. The avatar uses the initials.