Roles and permissions
The six built-in roles, how custom roles work, and what each permission in the Settings → Roles matrix actually controls.
Updated 2026-07-06
Every member of a workspace has a role, and every role is a set of permissions. Settings → Roles & permissions shows the full matrix: roles across the top, permissions down the side. A member with manage.roles can duplicate a role, edit a custom role's cells, or reassign what role a teammate holds.
The six roles
- Workspace Owner — every permission. Cannot be edited or deleted.
- Admin — every permission, same as Workspace Owner. The Owner/Admin distinction is about billing and lifecycle, not day-to-day CRM access.
- Manager — create and edit deals (own, shared, or in a team they manage), move stages, manage a deal's team and visibility, browse the whole workspace, see financials, export data, and manage teams.
- Member — create and edit deals they own or are added to, browse the workspace, see financials, and export data. No team management.
- Limited Member — edit only deals they own or are added to. No browse permission, so deals outside that set are invisible — not just uneditable. No create, no export.
- Read-Only — browse and view financials and reports. No create, no edit, no export.
The four built-in roles below Owner and Admin are starting points, not fixed tiers — duplicate any of them to fine-tune the exact set of permissions a role holds.
Custom roles
Click New role, or Duplicate on an existing role, to create a custom role that starts with a copy of that role's permissions. Default roles (the six above) are read-only in the matrix — their cells can't be clicked. A custom role's cells toggle on and off directly in the matrix. Custom roles can be deleted; default roles can't. Assign a role to a teammate from the Members list.
Only members with manage.roles can open the matrix for editing or reassign a teammate's role. Everyone else sees the matrix read-only.
What key permissions govern
| Permission | Governs |
|---|---|
| deal.edit_own | Edit deals you are the Primary Owner or a Co-Owner of. |
| deal.edit_shared | Edit a deal where you're a Collaborator with Edit access. |
| deal.edit_team | Edit deals owned by a team you manage. |
| deal.edit_all | Edit any deal you can access, regardless of ownership. |
| deal.browse | Discover deals through workspace, team, or pipeline visibility — not just deals you own or are added to. Without it, only owned/shared deals exist for you at all. |
| deal.access_all | See every deal in the workspace, bypassing visibility entirely. Only takes effect if the workspace's admin-bypass setting is also on. |
| finance.view | See deal values, commissions, and any custom field flagged financial. |
| finance.edit | Edit commissions and financial custom fields. |
| data.export | Export contacts, companies, and deals to CSV. |
| report.export | Export report data. |
| manage.roles | Create, edit, and delete custom roles, and assign roles to members. |
| audit.view | View the workspace audit log. |
A deal's edit check applies these in order: edit_all wins outright; edit_own covers the Primary Owner and Co-Owners; edit_shared covers a Collaborator with Edit access; edit_team covers a deal owned by a team you manage. Whichever matches first grants the edit — they're not cumulative requirements.
The billing owner always has full access
Whoever holds the workspace's billing-owner seat gets every permission automatically, no matter what CRM role they're assigned. This exists so a billing owner can never lock themselves out of role management by assigning themselves a restrictive role.
Financial masking
Without finance.view, a deal's value shows as an em dash instead of a real amount, commissions are hidden entirely, and any custom field flagged financial is dropped from what that member can see or edit. This applies everywhere a deal is read — the board, deal detail, reports, and CSV export.
Spotted something out of date? Email hello@neokivo.com.