Browse documentation

Roles and permissions

The six built-in roles, how custom roles work, and what each permission in the Settings → Roles matrix actually controls.

Updated 2026-07-06

Every member of a workspace has a role, and every role is a set of permissions. Settings → Roles & permissions shows the full matrix: roles across the top, permissions down the side. A member with manage.roles can duplicate a role, edit a custom role's cells, or reassign what role a teammate holds.

The six roles

  • Workspace Owner — every permission. Cannot be edited or deleted.
  • Admin — every permission, same as Workspace Owner. The Owner/Admin distinction is about billing and lifecycle, not day-to-day CRM access.
  • Manager — create and edit deals (own, shared, or in a team they manage), move stages, manage a deal's team and visibility, browse the whole workspace, see financials, export data, and manage teams.
  • Member — create and edit deals they own or are added to, browse the workspace, see financials, and export data. No team management.
  • Limited Member — edit only deals they own or are added to. No browse permission, so deals outside that set are invisible — not just uneditable. No create, no export.
  • Read-Only — browse and view financials and reports. No create, no edit, no export.

The four built-in roles below Owner and Admin are starting points, not fixed tiers — duplicate any of them to fine-tune the exact set of permissions a role holds.

Custom roles

Click New role, or Duplicate on an existing role, to create a custom role that starts with a copy of that role's permissions. Default roles (the six above) are read-only in the matrix — their cells can't be clicked. A custom role's cells toggle on and off directly in the matrix. Custom roles can be deleted; default roles can't. Assign a role to a teammate from the Members list.

Only members with manage.roles can open the matrix for editing or reassign a teammate's role. Everyone else sees the matrix read-only.

What key permissions govern

PermissionGoverns
deal.edit_ownEdit deals you are the Primary Owner or a Co-Owner of.
deal.edit_sharedEdit a deal where you're a Collaborator with Edit access.
deal.edit_teamEdit deals owned by a team you manage.
deal.edit_allEdit any deal you can access, regardless of ownership.
deal.browseDiscover deals through workspace, team, or pipeline visibility — not just deals you own or are added to. Without it, only owned/shared deals exist for you at all.
deal.access_allSee every deal in the workspace, bypassing visibility entirely. Only takes effect if the workspace's admin-bypass setting is also on.
finance.viewSee deal values, commissions, and any custom field flagged financial.
finance.editEdit commissions and financial custom fields.
data.exportExport contacts, companies, and deals to CSV.
report.exportExport report data.
manage.rolesCreate, edit, and delete custom roles, and assign roles to members.
audit.viewView the workspace audit log.

A deal's edit check applies these in order: edit_all wins outright; edit_own covers the Primary Owner and Co-Owners; edit_shared covers a Collaborator with Edit access; edit_team covers a deal owned by a team you manage. Whichever matches first grants the edit — they're not cumulative requirements.

The billing owner always has full access

Whoever holds the workspace's billing-owner seat gets every permission automatically, no matter what CRM role they're assigned. This exists so a billing owner can never lock themselves out of role management by assigning themselves a restrictive role.

Financial masking

Without finance.view, a deal's value shows as an em dash instead of a real amount, commissions are hidden entirely, and any custom field flagged financial is dropped from what that member can see or edit. This applies everywhere a deal is read — the board, deal detail, reports, and CSV export.

Spotted something out of date? Email hello@neokivo.com.