Roles & permissions
Every member of a business has a role that bundles a set of permissions, and optionally a few individual overrides that adjust that set for them alone. The two together decide exactly what each person can see and do. A role is either one of the seven predefined roles or a custom role you define yourself.
Predefined roles
Pick a role to cover the common cases without thinking about individual permissions. They run from most to least privileged:
| Role | What it's for |
|---|---|
| Owner | Full control of the business, including billing and ownership. There is always at least one owner. |
| Admin | Runs the workspace day to day: everything an owner can do except transferring ownership. |
| Manager | Leads delivery: full operational access plus inviting and removing teammates. Can't change settings or roles. |
| Member | Does the work: manage clients, projects, tasks, time, invoices and expenses. No team or settings management. |
| Accountant | Finance focused: full invoices and expenses, read-only everywhere else. |
| Contractor | External collaborator: log time against projects and tasks, see their own time only. |
| Viewer | Read-only access across the workspace. |
The owner is special. It always holds every permission and can't be reduced - individual overrides are ignored for owners. A business always keeps at least one owner, and only an owner can grant the owner role.
Custom roles
When none of the predefined roles fit, define your own. A custom role is just a name and a set of permissions you pick from the catalog below. Anyone who holds the Manage roles & permissions permission (team.manageRoles) can create, edit and delete them under Settings -> Team, in the Custom roles card.
Once created, a custom role behaves exactly like a predefined one:
- It appears in the role dropdown on each member, so you can assign it like any other role.
- It's selectable when inviting someone, so new members can start on it.
- Individual overrides still layer on top - the custom role is the baseline, and Grant / Deny work the same way.
Two rules keep custom roles safe:
- No privilege escalation. A custom role can only include permissions its creator already holds. You can't mint a role that grants something you can't do yourself - the same rule that governs Grant overrides.
- Never the owner. A custom role is always an explicit set of permissions; it's never the owner wildcard, so it can never carry ownership or billing control.
Deleting a role that members still hold is blocked - reassign those members to another role first, then delete it. This keeps anyone from being left with no role.
How individual overrides work
A role is a starting point, not a cage. On any member you can override a single permission in one of three states:
- Inherit - use whatever the role grants (the default).
- Grant - add a permission the role doesn't include.
- Deny - remove a permission the role would otherwise include.
The effective permission set is then:
effective = role permissions + grants - denies
Two rules keep this predictable:
- Deny always wins. If a permission is both granted and denied, the deny applies.
- Owners hold everything. Overrides never apply to an owner.
So you might keep someone on the Member role but Deny them invoices.issue, or leave a Contractor as-is but Grant them time.viewAll for one project's reporting - without inventing a whole new role.
The permission catalog
Permissions are resource.action strings, grouped by the area of the app they govern. This is the full catalog.
Clients
| Permission | Allows |
|---|---|
clients.view | See the client list, client details and activity. |
clients.create | Add new clients and import them in bulk. |
clients.edit | Change client details and add notes. |
clients.archive | Archive and restore clients. |
Projects
| Permission | Allows |
|---|---|
projects.view | See projects and their details. |
projects.create | Start new projects. |
projects.edit | Change project details, status and rates. |
Tasks
| Permission | Allows |
|---|---|
tasks.view | See the tasks on a project. |
tasks.create | Add tasks to a project. |
tasks.edit | Change task details and move them between statuses. |
tasks.delete | Remove tasks from a project. |
Time
| Permission | Allows |
|---|---|
time.log | Start and stop the timer and add manual time entries. |
time.viewOwn | See your own timesheet and running timer. |
time.viewAll | See time entries logged by other team members. |
time.edit | Change the notes on time entries. |
time.delete | Remove time entries. |
Invoices
| Permission | Allows |
|---|---|
invoices.view | See invoices and look up exchange rates. |
invoices.create | Create draft invoices. |
invoices.edit | Add and remove lines and generate lines from time. |
invoices.issue | Issue a draft, assigning its number. |
invoices.markPaid | Record an invoice as paid. |
invoices.configure | Change the next invoice number for a year. |
Expenses
| Permission | Allows |
|---|---|
expenses.view | See the expense list and receipts. |
expenses.create | Record new expenses. |
expenses.edit | Change the details of an expense. |
expenses.approve | Mark expenses paid or unpaid. |
expenses.delete | Remove expenses. |
Insights
| Permission | Allows |
|---|---|
dashboard.view | See the business dashboard and its financial summary. |
Team
| Permission | Allows |
|---|---|
team.view | See who is on the team. |
team.invite | Invite people and revoke pending invitations. |
team.removeMember | Remove people from the team. |
team.manageRoles | Change members' roles and individual permissions. |
Settings
| Permission | Allows |
|---|---|
settings.view | See the business settings. |
settings.edit | Change the business name, address, currency and tax. |
branding.edit | Change the logo, brand colour and invoice footer. |
Managing it
Roles, custom roles and overrides all live under Settings -> Team. Anyone who holds the Manage roles & permissions permission (team.manageRoles) - owners and admins by default - can:
- Change a member's role from the dropdown on their row. It lists the predefined roles plus any custom roles. You can only assign roles at or below your own, and only an owner can grant the owner role.
- Toggle individual permissions for a member between Inherit, Grant and Deny, one permission at a time, in the per-member permission editor.
- Manage custom roles in the Custom roles card - create a role from a set of permissions, edit it, or delete one no member is using.
Changes take effect immediately the next time that member acts.
The same permissions gate the MCP server. Clerq's MCP server reuses the app's tRPC layer, so an AI assistant connected on someone's behalf can do exactly what that person can do in the web app - no more, no less. Tighten a member's permissions and you tighten their assistant in the same move.