Permissions & Roles

ClientCove enforces resource access at four layers: role capabilities, client assignment, folder scope, and per-file restrictions. Knowing how these stack determines who sees what.

Capability Matrix

CapabilityWho Has It
View resourcesAny logged-in user with the resources feature enabled, plus visitors using a valid public share link
Add / edit resourcesAdministrators, Editors, and any role with edit_posts or upload_client_resources
Manage folders (own client)Roles with manage_own_client_folders
Add / edit / delete folders, delete resourcesAdministrators, System Administrators, Technical Administrators only
See TrashAdministrator, Editor, Representative, Sales Representative, System Admin, Technician, Tech Lead, Tech Admin, Senior Contractor
Bypass client-folder restrictionAnyone with manage_options or edit_others_posts (typically Admins and Editors)
Permanent deleteAdministrators, System Admins, Tech Admins only

How Client Visibility Works

When a logged-in user opens the Resources page, the resource list is filtered as follows:

  1. Admins/Editors see everything regardless of client
  2. All other users see resources that match any of these:
    • In a Shared folder (no client binding)
    • In a Client folder bound to their client
    • The resource itself is assigned to their client
    • The resource is gated by a Required Purchase they own

Workbench folders are never visible to clients — they're always staff-only.

Sharing across clients

A resource can belong to multiple folders. If even one folder is public (Shared, no client binding), the resource is visible to everyone. Use Client folders for resources that should only reach a specific client.

Role Groups

ClientCove organizes roles into functional groups for UI behavior:

Admin group

  • Administrator
  • System Admin
  • Technical Administrator

Full access to everything in Resources: create, edit, share, delete, manage folders, see all clients.

Staff group

  • Editor
  • Representative / Sales Representative
  • Technician / Tech Lead
  • Senior Contractor

Can create and edit resources, can see Trash, can manage folders within their assigned scope. Cannot permanently delete or manage portal settings.

Client group

  • Client (default)
  • Client Manager
  • Client Contributor

View resources assigned to their client. Client Managers can manage their own client's folders if granted manage_own_client_folders. Client Contributors can add resources via upload_client_resources if granted.

Anonymous (share link)

  • Visitors arriving via valid public share link

Read-only access to the shared resource only. Cannot navigate to other resources.

Required Purchase (Paywalls)

A resource can be gated behind a product purchase.

Setting it up

  1. Open the resource in edit mode
  2. Open Settings → Required Purchase
  3. Pick a product

Behavior

Visitor StateWhat They See
Logged out"Purchase Required" notice + link to product (if visible)
Logged in, no entitlementSame "Purchase Required" notice
Logged in with entitlementNormal resource view
Public share linkBypasses paywall — share carefully

Entitlement is verified per-request via check_user_has_access().

Per-File Permissions

Within a Grouped resource, individual files can have their own visibility rules:

  1. In edit mode, on the Files tab
  2. Open the file row's permissions action
  3. Choose visibility:
    • Public (matches resource visibility)
    • Authenticated only (any logged-in user)
    • Specific client (members of that client only)
    • Specific role (e.g. admins only)

Use this for grouped deliverables that mix public assets (a logo) with confidential files (a contract draft).

Trash & Permanent Delete

Soft delete (Trash)

Available to roles in the trash list. Trashed resources move to the trash collection — hidden from clients, recoverable.

  1. Open the resource detail page
  2. Three-dot menu → Trash

Restore from the Trash view by clicking Restore on the resource card.

Permanent delete

Administrators, System Admins, and Tech Admins only.

  1. Switch to the Trash view
  2. On the resource card, open the menu → Delete permanently
  3. Confirm

This removes the WordPress post entirely. Underlying media library files are detached but not removed (they remain in the WP media library unless manually deleted there).

Permanent deletion is irreversible. Public share links to permanently deleted resources start returning 404 immediately. If you might need the content again, leave it in Trash — there's no time limit on restoration.

Was this page helpful?