> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hiveku.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

> Control what each team member can see and do across every department

Hiveku gives account admins granular control over what each user can access. Every member is assigned a **role**, and that role decides which departments they see and what they can do inside each one.

<Info>
  Access is the combination of two things: your **plan** (which features the account has) and your **role** (what you're allowed to do with them). You see a feature only if your plan includes it **and** your role grants it.
</Info>

## How access works

Each department (Accounting, CRM, Marketing, Helpdesk, Communications, and so on) is broken into resources. For every resource, a role grants one or more capability levels:

| Capability | What it allows                                                                                                                          |
| ---------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| **View**   | See lists and records. Required for a department to appear in the sidebar.                                                              |
| **Create** | Add new records.                                                                                                                        |
| **Edit**   | Change existing records.                                                                                                                |
| **Delete** | Remove records.                                                                                                                         |
| **Manage** | Configure the area — settings, approvals, templates, and sensitive actions like sending an invoice, running payroll, or voiding a bill. |

When a role doesn't grant **View** on a department, that department is **hidden** from the sidebar entirely — it isn't an upsell, the person simply doesn't work in that area. (A feature your plan doesn't include yet shows as a locked "Upgrade" item instead.)

## Default roles

Every account starts with nine built-in roles. You can assign them as-is or clone one as the starting point for a custom role.

| Role                     | Accounting | CRM / Sales | Marketing | Helpdesk | Voice | Settings                        |
| ------------------------ | ---------- | ----------- | --------- | -------- | ----- | ------------------------------- |
| **Owner**                | Full       | Full        | Full      | Full     | Full  | Full + billing + ownership      |
| **Admin**                | Full       | Full        | Full      | Full     | Full  | Full (no ownership transfer)    |
| **Manager**              | Edit       | Full        | Full      | Full     | Full  | View team, manage notifications |
| **Finance / Accountant** | Full       | View        | —         | —        | —     | View billing                    |
| **Sales**                | —          | Full        | View      | View     | Edit  | —                               |
| **Marketing**            | —          | View        | Full      | —        | —     | —                               |
| **Support**              | —          | View        | —         | Full     | View  | —                               |
| **Member**               | —          | Edit        | Edit      | Edit     | View  | —                               |
| **Viewer**               | View       | View        | View      | View     | View  | —                               |

A dash means the department is hidden for that role.

<Note>
  Owner and Admin always have full access to everything the account's plan includes — you can't lock an owner out of their own account.
</Note>

## Custom roles

Admins can build roles with exactly the access a person needs — for example a "Bookkeeper" who manages Accounting and reads CRM but never sees Marketing.

<Steps>
  <Step title="Open Settings > Roles">
    From **Team Members**, click **Manage Roles**, or go to **Settings > Roles**.
  </Step>

  <Step title="Create or clone a role">
    Click **New role**, or **Clone** a default role to start from its access and adjust.
  </Step>

  <Step title="Set access in the matrix">
    For each department and resource, check the capabilities to grant (View / Create / Edit / Delete / Manage). Use the **None / View / Full** shortcuts to set a whole department at once.
  </Step>

  <Step title="Save and assign">
    Save the role, then assign it to people from **Team Members**.
  </Step>
</Steps>

<Warning>
  You can't grant a role more access than you have yourself, and you can't delete a role while members are still assigned to it — reassign them first.
</Warning>

## Owner and Admin

* **Owner** — full control, including billing and transferring ownership. There must always be at least one owner.
* **Admin** — full control except transferring ownership of the account.

Both bypass the role checks above, so they can always reach every part of the account their plan includes.

## What's Next?

<CardGroup cols={2}>
  <Card title="Team Members" icon="users" href="/settings/team">
    Invite people and assign their roles
  </Card>

  <Card title="Build a custom role" icon="shield-halved" href="/how-tos/manage-permissions">
    Step-by-step guide to the role matrix
  </Card>
</CardGroup>
