Most teams over-complicate permissions. Here's a practical guide to assigning roles that protect sensitive data without slowing anyone down.
Permissions are one of those things that seem simple until you get them wrong. Too restrictive and your team can't do their work. Too permissive and an intern accidentally deletes a client invoice.
The three default roles
Most agencies need exactly three roles:
- Admin: Full access to everything. Usually the agency owner and operations lead. Can manage team members, billing, and settings.
- Member: Can work on projects, log time, create tickets, and view contacts. Can't access billing, team management, or delete things they shouldn't.
- Viewer: Read-only access. Useful for clients who need visibility into project progress without the ability to modify anything.
Start simple, add complexity later
The mistake most teams make is designing an elaborate permission system before they need one. Start with the three defaults. When someone needs access they don't have, create a custom role for that specific case. Don't pre-engineer permissions for hypothetical scenarios.
You'll know you need more granularity when someone says "I need to see invoices but not create them" or "I need to manage this project but not that one." Those are real use cases that justify custom roles. "What if someday we need..." is not.