Only Owners and Admins (or a role granted Manage on Roles & Permissions) can create or edit roles.
Create a role
Start a new role
Click New role to start from scratch, or Clone a default role to start from its access and tweak it. Cloning is the fastest path — for example, clone Finance and remove what a bookkeeper shouldn’t touch.
Name it
Give the role a clear name (e.g. “Bookkeeper”) and an optional description so other admins know what it’s for.
Set access in the matrix
Each row is a resource; each column is a capability — View, Create, Edit, Delete, Manage. Check the boxes to grant access. Use the None / View / Full buttons on a department header to set every resource in that department at once.Checking any action automatically includes View (you can’t edit what you can’t see). Unchecking View clears the whole row.
Assign a role
The change takes effect the next time the member reloads (within a few minutes at most).
Rules and limits
I can't grant an access I don't have
I can't grant an access I don't have
You can only grant capabilities you hold yourself. An Admin can build almost any role; a department lead can only build roles within their own area. Owners can grant anything.
I can't delete a role
I can't delete a role
A role can’t be deleted while anyone is still assigned to it. Reassign those members to another role first, then delete it.
I can't edit a default role
I can't edit a default role
The nine built-in roles are fixed. To customize one, Clone it and edit the copy.
Someone still sees a section after I removed access
Someone still sees a section after I removed access
Permission changes propagate within a few minutes. Ask them to reload. Owners and Admins always see everything the plan includes — that’s expected.
What’s Next?
Permissions reference
The full capability model and default-role matrix
Team Members
Invite people and manage access