Standard roles
Admin
Full workspace control.
Manager
Team and automation management.
User
Daily operational use.
Read-only
Read-only (accountant).
Guest
Limited access to specific projects.
CRM permission matrix
| Action | Admin | Manager | User | Read-only | Guest |
|---|---|---|---|---|---|
| See workspace deals | ✅ | ✅ | ❌ | ✅ | ❌ |
| See own deals | ✅ | ✅ | ✅ | ✅ | 🔸 |
| See team deals | ✅ | ✅ | 🔸 | ✅ | ❌ |
| Create deals | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit own | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit others’ | ✅ | 🔸 | ❌ | ❌ | ❌ |
| Delete deals | ✅ | 🔸 | ❌ | ❌ | ❌ |
| Export CSV | ✅ | ✅ | 🔸 | ✅ | ❌ |
| Bulk import | ✅ | ✅ | ❌ | ❌ | ❌ |
Finance permission matrix
| Action | Admin | Manager | User | Read-only |
|---|---|---|---|---|
| See active invoices | ✅ | ✅ | 🔸 | ✅ |
| Issue invoices | ✅ | ✅ | 🔸 | ❌ |
| See passive invoices | ✅ | ✅ | ❌ | ✅ |
| Approve passive invoices | ✅ | 🔸 | ❌ | ❌ |
| Bank reconciliation | ✅ | 🔸 | ❌ | ❌ |
| See balance sheet | ✅ | 🔸 | ❌ | ✅ |
| Period close | ✅ | ❌ | ❌ | ❌ |
| Modify chart of accounts | ✅ | ❌ | ❌ | ❌ |
HR permission matrix
| Action | HR Admin | Manager | User | Employee (self) |
|---|---|---|---|---|
| Full employee master data | ✅ | 🔸 | ❌ | Only own |
| Payslips | ✅ | ❌ | ❌ | Only own |
| Salaries and costs | ✅ | ❌ | ❌ | Only own |
| Approve team leaves | ✅ | ✅ | ❌ | ❌ |
| See colleague leaves | ✅ | ✅ | 🔸 | Team |
| Modify contracts | ✅ | ❌ | ❌ | ❌ |
| Performance review | ✅ | ✅ (team) | Only own | Only own |
Automation permission matrix
| Action | Admin | Manager | User |
|---|---|---|---|
| Create workflow | ✅ | ✅ | ❌ |
| Modify workflow | ✅ | 🔸 | ❌ |
| Activate/deactivate | ✅ | 🔸 | ❌ |
| See run history | ✅ | ✅ | 🔸 |
| Run manual workflows | ✅ | ✅ | ✅ |
| Configure webhooks | ✅ | ❌ | ❌ |
Settings permission matrix
| Action | Admin | Manager | User |
|---|---|---|---|
| Workspace settings | ✅ | ❌ | ❌ |
| Team and roles | ✅ | 🔸 (team invite) | ❌ |
| Billing | ✅ | ❌ | ❌ |
| Integrations | ✅ | 🔸 | ❌ |
| Custom objects | ✅ | ❌ | ❌ |
| Global automations | ✅ | 🔸 | ❌ |
Ownership and visibility
Beyond roles, every record has:Owner
Owner
Who “owns” the record (e.g. sales rep for deal). Always can modify.
Assigned team
Assigned team
Team can see/modify based on role.
Visibility flag
Visibility flag
- Public: whole workspace
- Team: only assigned team
- Private: only owner + admin
Granular permissions
Granular permissions
Admin can define custom rules for specific records (e.g. “this deal visible only to 3 specific people”).
Field-level permissions
For sensitive fields you can make an attribute:- Visible only to certain roles
- Read-only for certain roles
- Hidden from certain roles
Custom roles
If the 5 standards don’t suffice, create custom from Settings → Team → Roles → + New:- Clone from existing (e.g. User + extra permissions)
- Define granular per module
- Apply to existing or new users
Audit log
Every sensitive action is logged:- Who (user)
- What (action type)
- When (UTC timestamp)
- Where (IP + device)
- Data (before/after for changes)
Frequently asked questions
What happens if a user changes role?
What happens if a user changes role?
Permissions apply immediately. Already-open records may need refresh.
Can I temporarily delegate permissions?
Can I temporarily delegate permissions?
Yes, “Impersonate” function (Admin only). All actions logged as “X on behalf of Y”.