Team Access & RBAC
Overview
Role-Based Access Control (RBAC) ensures every team member sees exactly what they need — nothing more. A field technician doesn't need access to billing or customer financial data. A dispatcher doesn't need to change account settings. RBAC enforces these boundaries automatically based on the role you assign each person in Team Management.
There are five system roles. Roles are not customizable in the current release — every account uses the same role definitions. Custom roles are on the roadmap.
System Roles
Owner
Full access to everything. One per account. Can transfer ownership, cancel the account, and access billing. Cannot be deactivated without transferring ownership first.
Admin
Full access to all CRM features and settings. Can manage team members (except the Owner). Cannot access billing or transfer ownership.
Dispatcher
Access to scheduling, jobs, estimates, contacts, and conversations. Can assign and reassign jobs. Cannot access settings, billing, or team management.
Technician
Read access to their own assigned jobs, contacts linked to those jobs, and their own schedule. Can add notes, photos, and update job status. Cannot view other technicians' jobs, financial data, or settings.
Office
Access to invoices, estimates, contracts, and customer records. Can create and send financial documents. Cannot access scheduling, dispatch, or settings.
Role Permission Matrix
| Section | Owner | Admin | Dispatcher | Technician | Office |
|---|---|---|---|---|---|
| Jobs & Schedule | ✅ Full | ✅ Full | ✅ Full | ✅ Own only | ✅ Read |
| Contacts | ✅ Full | ✅ Full | ✅ Full | ✅ Assigned | ✅ Full |
| Estimates | ✅ Full | ✅ Full | ✅ Full | ✅ Read | ✅ Full |
| Invoices | ✅ Full | ✅ Full | ✅ Read | — | ✅ Full |
| Conversations | ✅ Full | ✅ Full | ✅ Full | ✅ Own | ✅ Full |
| Automation | ✅ Full | ✅ Full | — | — | — |
| Settings | ✅ Full | ✅ Full | — | — | — |
| Billing | ✅ Full | — | — | — | — |
| Team Management | ✅ Full | ✅ Full | — | — | — |
CRUD Reference
| Object | Create | Read | Update | Delete |
|---|---|---|---|---|
| Role Definition | — | ✅ | — | — |
| Role Assignment | — | ✅ | ✅ | — |
| Permission Override | — | ✅ | — | — |
| Access Log | — | ✅ | — | ✅ (purge) |
Notes
Permission changes take effect immediately — no re-login required. Access logs are available to Owners under Settings → Team Access → Access Log and are retained for 12 months. The Technician role enforces data isolation at the API level, not just the UI — technicians cannot access other technicians' job data through API calls or exports.