Sign Up
Settings

Create roles and manage permissions

User Roles define what members can do in each app area and settings area. Adjust roles when default roles are too broad, when a member cannot access an action, or when sensitive actions need tighter control.

Use User Roles to:

  1. Review default roles such as Owner, Admin, Member, and Guest.
  2. Create a custom role when default roles do not match responsibilities.
  3. Load permissions from an existing role as a starting point.
  4. Set access per app area and settings area.
  5. Keep delete, settings, billing, recovery, and member-management access limited to trusted users.

Terms you may see:

  • Role is assigned to a member from Members settings.
  • Permission is the allowed action for a role in a specific app or settings area.
  • No access hides or blocks the area for that role.
  • App Settings decide whether an app area is available. User Roles decide what each member can do when it is available.
  • Custom roles may require plan availability.

Before you start

  • You need access to User Roles.
  • Creating custom roles may require plan support.
  • Review who uses a role before changing it.

How role permissions work

  1. Open Settings.
  2. Open User Roles.
  3. Review role columns and permission rows.
  4. Select a permission value to change access for a role.
  5. Add a custom role when the default roles do not fit.
  6. Assign the role from Members settings.

Expected outcome: Members receive predictable access based on their role and responsibilities.

Control or areaWhat it doesNotes
Add user roleOpens the custom role dialog.Can show an upgrade prompt if custom roles are not available.
Role columnsShow default and custom roles.Owner is protected and should not be treated like a regular editable role.
Permission rowsShow each app area or settings area.Rows can include Collections, Lists, Docs, Whiteboards, Dashboards, Goals, Reminders, Time Tracking, Chat, CRM, Contacts, Companies, Manage Users, User Roles, Templates, App Settings, Tags, and Recently Deleted.
Permission selectorChanges the selected role’s permission for that row.Choices vary by row. Not every row supports every permission.

Common permission levels

PermissionMeaningUse it when
No accessThe role should not see or use the area.External reviewers, temporary users, or restricted roles should be blocked.
ViewThe role can read but not change.Users need reference access only.
Comment or MessageThe role can participate without editing core records.Users need discussion access in supported areas.
CreateThe role can add new items.Users should start work but may not manage all existing work.
EditThe role can update existing items.Users are responsible for maintaining the work.
SettingsThe role can manage configuration for that area when supported.Trusted leads manage fields, defaults, or behavior.
UploadThe role can add files where supported.Users need attachment or media upload access.
DeleteThe role can remove items.Limit this to trusted users because recovery can be time-limited.

Create a custom role

  1. Open Settings > User Roles.
  2. Select Add user role.
  3. Enter a clear role name, such as Client Reviewer or Operations Lead.
  4. Choose a reference role to copy permissions from.
  5. Adjust each permission row.
  6. Save the role.
  7. Assign the role from Members settings.

Change permissions safely

  1. Find the affected app or settings area.
  2. Find the role column.
  3. Open the permission selector.
  4. Choose the smallest permission that allows the user to do their work.
  5. Ask one affected member to refresh and verify access.
  6. Apply the same pattern to other roles only after testing.

Design a least-access role

  • Start from Guest or Member instead of Admin.
  • Add View before adding Create or Edit.
  • Add Delete only when the role is responsible for cleanup.
  • Keep Manage Users, User Roles, App Settings, Archived, and Recently Deleted restricted.
  • Use App Settings to remove a feature for everyone; use roles to restrict who can use it.

Troubleshooting

Add user role is blocked

  • Symptom: The button is disabled or shows an upgrade prompt.
  • Cause: Your plan or role may not allow custom roles.
  • Resolution:
    1. Ask the Space owner to confirm plan availability.
    2. Ask an admin with role access to create the role.
    3. Use a default role until custom roles are available.

A member still cannot access an area after a role change

  • Symptom: The role appears correct, but access is still blocked.
  • Cause: The app area may be disabled in App Settings, the item may be private, the page may need refresh, or plan availability may block the action.
  • Resolution:
    1. Confirm the member has the updated role in Members.
    2. Confirm the app area is enabled in App Settings.
    3. Confirm the item is not private, archived, or deleted.
    4. Ask the user to refresh.

A role change gave too much access

  • Symptom: Users can now see or change more than intended.
  • Cause: A shared role was edited instead of creating a narrower custom role.
  • Resolution:
    1. Revert the permission row.
    2. Create a custom role for the exception.
    3. Reassign only the intended members.

FAQ

Should I edit default roles or create custom roles?

Use default roles for simple teams. Create custom roles when different groups need precise boundaries.

Can a role override private item access?

Not always. Private items, item sharing, App Settings, plan availability, archived state, and deleted state can still affect access.

Who should manage roles?

Owners or trusted admins should manage roles because permission changes can expose, change, restore, or remove Space data.