Roles and permissions
Built-in roles, custom roles, and how access is scoped to properties and units.
On this page
A role is a named bundle of permissions you assign to a team member. The system ships nine built-in roles that cover most teams. If your structure is unusual, you can create custom roles too.
The built-in roles
| Role | Designed for | Default access |
|---|---|---|
| Admin | Workspace owner | Full access. The only role that can change billing, delete properties, edit workflows, or invite members. |
| Manager | Day-to-day operations lead | Everything except billing and workspace settings. |
| Accountant | Finance staff | Read everything; create/verify payments, expenses, deposits; no property edits, no member changes. |
| Maintenance | Field tech or coordinator | Maintenance requests, recurring tasks. No financial pages. |
| Leasing | Lease offer drafter | Properties, units, contacts, lease offers, contracts. Limited financial view. |
| Property Custodian | On-site rep for a specific property | All actions, but scoped to assigned properties only. |
| Owner | Property owner who wants visibility | Read-only on their assigned properties. Sees finances. |
| Shareholder | Owner with reduced visibility | Read-only on the dashboard summary. No drill-down. |
| Tenant | Resident of a unit | Tenant portal access. Maintenance requests, payments, contract view. |
You assign a role at the workspace, property, or unit level — and access cascades. Workspace-Admin sees everything; property-Custodian sees just that property.
Scope: workspace, property, unit
Every role assignment has a scope:
- Workspace — applies to everything in the workspace.
- Property — applies to a single property and its units.
- Unit — applies to a single unit only.
A member can hold different roles at different scopes. A common pattern: someone is Manager at workspace scope but also Property Custodian at one specific property where they live on-site.
Permissions — the underlying catalog
Every role is built from individual permissions. Permissions are atomic ("can view payments", "can verify expenses", "can edit unit rent"). When you assign a role, the system grants every permission in that role's bundle.
The catalog has ~35 permissions across the system, grouped by area: Properties, Contracts, Payments, Expenses, Deposits, Maintenance, Members, Workflows, Billing.
You don't normally interact with individual permissions — you pick a role and trust the bundle. But if you create custom roles, you'll pick permissions one by one.
Custom roles
Open Settings → Roles → Create custom role. Name it ("Junior Bookkeeper"), pick the permissions it should include, and save. The new role then appears in every member-assignment dropdown.
[!tip] Most teams never need custom roles. If you're considering one, first see whether the built-in role you want is just a permission or two short of the built-in. Sometimes the right answer is "use Accountant + a property-scoped Custodian assignment" rather than a brand-new role.
You can edit or delete a custom role at any time. Edits apply instantly — every member with that role picks up the change.
Who can manage members
By default, only Admins can invite members, change role assignments, and remove members. You can grant the manage_members permission to other roles if your team needs delegated administration.
What if a member needs access to one specific property?
Don't grant them workspace-wide access just because they need to see Property X. Instead:
- Invite them with no workspace role (or the most restrictive role).
- On Property X, open Team, and assign them a property-scoped role.
They'll see Property X with the granted role, and nothing else.