Orimora uses groups with fine-grained capabilities instead of a single “admin vs member” switch. Collection and tag permissions add another layer for content access.
Settings → Groups lists all teams groups:
| Type | Description |
|---|
| System groups | Built-in: Admins, Editors, Members, Viewers — capabilities can be adjusted, group cannot be deleted |
| Custom groups | Created by admins — name, color, description, any capability mix |
The four system groups and their default capabilities:
| Group | Default capabilities |
|---|
| Admins | All capabilities |
| Editors | All except settings, developer, publishing, suspend members, manage groups |
| Members | Create documents, create collections, create/use tags, create templates, use AI |
| Viewers | None — read access only via collection/document permissions |
Click a group to open the drawer with Members and Capabilities tabs.
- Open a group → Members tab
- Search for a team member and add them
- Users inherit all capabilities of every group they belong to
Removing a member from a group revokes capabilities that are not granted elsewhere.
Capabilities are additive — a user has the union of all capabilities from all their groups.
| Capability | Allows |
|---|
| Create Documents | New documents in collections |
| Delete Any Document | Delete others’ documents |
| Archive Any Document | Archive/unarchive any document |
| Create Collections | New collections |
| Delete Any Collection | Delete others’ collections |
| Manage Collection Permissions | Set per-collection access rules |
| Capability | Allows |
|---|
| Create Tags | New team tags |
| Use Tags | Apply/remove tags on documents |
| Manage Tags | Rename or recolor any tag |
| Manage Tag Permissions | Per-tag access control |
| Create Templates | New document templates |
| Update Any Template | Edit others’ templates |
| Delete Any Template | Delete others’ templates |
| Capability | Allows |
|---|
| Invite Members | Send team invitations |
| Suspend Members | Suspend or reactivate users |
| Manage Group Membership | Add/remove users from groups |
| Manage Groups | Create, edit, delete groups |
| Team Settings | Workspace name, logo, domain |
| Capability | Allows |
|---|
| Required Reading | Manage required-reading documents |
| Gamification | Points, badges, streaks |
| Audit Log | View team audit log |
| Backups | Trigger and restore backups |
| AI Settings | Configure LLM providers |
| Capability | Allows |
|---|
| API Keys | Create and manage API keys |
| Webhooks | Create and manage webhooks |
| MCP Endpoint | Enable HTTP MCP for external tools |
| Publishing | Create and manage publishing channels |
| Capability | Allows |
|---|
| Use AI | Access AI chat, image generation, and smart actions (cost-control gate) |
| Capability | Allows |
|---|
| Delete Any Comment | Remove comments by other users |
Even with “Create Documents”, a user may not see every collection. Per-collection rules restrict view / edit access to specific groups or members.
Manage via collection settings (requires Manage Collection Permissions).
Tags can have their own access rules — useful for sensitive labels (e.g. “Confidential”). Requires Manage Tag Permissions.
| Role | Suggested groups / capabilities |
|---|
| Reader | Members group only — no create/delete capabilities |
| Author | Create Documents, Use Tags, Create Collections |
| Editor lead | + Delete Any Document, Manage Collection Permissions |
| Integrations admin | API Keys, Webhooks, Publishing, MCP Endpoint |
| Workspace admin | Admins group or manually assign all capabilities |
