Roles and Permissions
Control what each team member can see and do with role-based access.
Roles and Permissions
CE Pro uses role-based access control to determine what each team member can see and do. There are five built-in roles. Each role has a default set of permissions that you can customize. Go to Team --> Permissions to manage access.
Permissions are enforced in the admin APIs too, not only in the visible UI. If a role does not include a permission like messages.send, automations.manage, holiday_lights.manage, or estimates.manage, CE Pro now returns 403 even if someone tries to hit the route directly from the browser or a copied API request.
Some record-detail actions also keep role- and ownership-based rules on top of the broad permission system. For example, sales reps can still delete only their own assigned leads and estimates, while client and job deletes stay limited to owner and manager roles even if someone can open the detail page.
The franchise beta adds two more admin permissions:
franchise.viewfranchise.manage
These control access to the franchise hierarchy APIs, the sidebar franchise workspace, and the new org-switching workflow. By default, Owners and Managers receive both permissions.
When franchise.view is present and the active org is a parent-capable workspace on a franchise-eligible plan, the user can open Admin --> Franchise and the dedicated Settings --> Franchise area. When franchise.manage is also present, that same admin can create child workspaces, edit child-workspace metadata, deactivate child workspaces, and send child-org invites.
The Five Roles
Owner (Purple Badge)
Full access to everything. Owners can manage billing, delete the organization, and control all settings. Every account needs at least one Owner.
Manager (Blue Badge)
Access to everything except billing management and organization deletion. Managers can invite team members, configure pricing, manage clients, and view all reports.
Sales Rep (Green Badge)
Can create and manage estimates, view clients, work the sales pipeline, and send messages. Sales reps can delete only leads assigned to them and estimates assigned to them. Cannot delete clients or jobs, and cannot access organization settings or team management.
Crew Lead (Orange Badge)
Can view the job schedule, update job statuses, and see details for assigned jobs. Cannot create estimates, delete records, or access settings.
Technician (Yellow Badge)
The most limited role. Can view today's schedule and update job status for assigned jobs. Cannot delete records or access anything else.
Permission Groups
Permissions are organized into groups. Each group controls access to a section of the app.
Dashboard and Analytics
- View the main dashboard
- View revenue analytics
- View service mix analytics
- View geography analytics
- View sales cycle analytics
- Export analytics data
Default access: Owner, Manager.
Jobs and Schedule
- View the schedule
- Create and edit jobs
- Assign crews to jobs
- Update job status
- View route optimization
- Delete jobs from the job detail page (owner and manager only)
Default access: Owner and Manager have both Schedule view and Schedule manage. Sales Reps, Crew Leads, and Technicians start with Schedule view only unless an Owner customizes the role.
Estimates and Clients
- Create estimates
- Edit estimates
- Send estimates
- Delete estimates
- View client list
- Edit client records
- View pipeline
Default access: Owners and managers can delete any client, lead, or estimate in their org. Sales reps can delete only leads and estimates assigned to them. Crew leads and technicians cannot delete records.
Proposal reassignment and rep handoff actions also follow the Estimates manage permission now. A teammate who can only view estimates can still open the record, but they cannot reassign ownership or push a handoff through the API.
Communications
- Send SMS messages
- Send emails
- View message threads
- Access the messaging inbox
- Trigger manual review requests
Default access: Owner, Manager, Sales Rep.
Services
These permissions cover specialized service modules:
- Holiday Lights — Create and manage holiday lighting proposals, inventory, and designs.
- Fleet — Create and manage fleet wrap proposals and vehicle inventory.
- Commercial — Create and manage commercial building proposals and the commercial pipeline.
Default access: Owner, Manager, Sales Rep (create and manage). Crew Lead (view assigned jobs only).
Administration
These permissions cover system-level settings:
- Automations -- View workflow analytics and run history, or create, edit, activate, pause, test, and manually enroll contacts in workflows.
- AI -- Access AI-powered tools such as lead scoring, pricing analysis, and supported estimator helpers.
- Operations — Manage inventory, locations, equipment, and quality checklists.
- Pricing — View and edit service pricing configuration.
- Team — Invite and remove team members, change roles.
- Marketing — Create and manage marketing campaigns and promotions.
- Billing — View and manage the subscription, payment methods, and invoices.
- Settings — Edit company information, integrations, portal settings, and brands.
Default access: Owner has full access. Manager has access to everything except Billing and organization deletion. All other roles have no access.
How to Customize Permissions
- Go to Team --> Permissions.
- Select a role from the list on the left.
- The permission groups for that role appear on the right.
- Check or uncheck individual permissions within each group.
- Changes save automatically.
Warning: Only Owners can modify permissions. Managers can view the Permissions page but cannot make changes.
>
Permission saves now reject malformed payloads before anything is written. In practice, that means CE Pro accepts only the built-in editable roles and known permission keys, instead of silently storing broken custom payloads.
Default Permission Summary
| Feature Area | Owner | Manager | Sales Rep | Crew Lead | Technician |
|---|---|---|---|---|---|
| Dashboard | Full | Full | Limited | No | No |
| Analytics | Full | Full | No | No | No |
| Estimates | Full | Full | Full | No | No |
| Clients | Full | Full | Full | No | No |
| Pipeline | Full | Full | Full | No | No |
| Schedule | Full | Full | View | View | View |
| Jobs | Full | Full | View | Assigned | Assigned |
| Messages | Full | Full | Full | No | No |
| Holiday Lights | Full | Full | Full | Assigned | No |
| Fleet | Full | Full | Full | Assigned | No |
| Commercial | Full | Full | Full | Assigned | No |
| Operations | Full | Full | No | No | No |
| Pricing | Full | Full | No | No | No |
| Team | Full | Full | No | No | No |
| Marketing | Full | Full | No | No | No |
| Billing | Full | No | No | No | No |
| Settings | Full | Full | No | No | No |
Tips
- Start with the default permissions. Customize only when a team member needs more or less access than their role provides.
- Use Sales Rep for field estimators. They can do everything customer-facing without touching system settings.
- Grant Automations view to teammates who only need analytics and run history. Grant Automations manage only to people who should build workflows, cancel runs, or manually enroll contacts.
- Remember that delete actions are narrower than simple page access. A role might be allowed to open a lead, estimate, client, or job detail page and still be blocked from deleting that record if the built-in ownership or manager-only rule does not allow it.
- The holiday lights Measure with AI action follows permissions too. A signed-in user needs Holiday Lights manage, Estimates create, or AI access before the estimator can call the measurement service.
- Crew Lead and Technician are designed for people who work in the field and usually only need schedule visibility. Grant Schedule manage only if they should create jobs, reorder dispatch, or update schedule data directly.
- Review permissions quarterly. As your team grows, make sure access levels still match job responsibilities.
Related articles
Was this article helpful?
Still need help? Contact support