Team, roles & client access
Invite teammates, scope client users to their own data, and shape custom roles.
Inviting people
Team → Invite sends an email invitation. The invitee clicks the link, sets a password, and lands in your workspace with the role you chose. Pending invites can be revoked until accepted.
Roles
System roles cover the usual shapes:
- Agency owner / Agency admin — everything (owner can't be demoted by anyone below owner)
- Account manager — day-to-day: leads, reports, tracking
- Client admin / Client user — for your clients' own people
- Viewer — read-only everywhere
Roles lets admins create custom roles from granular permissions (leads.edit, leads.export, integrations.manage, users.manage…). A member can never grant a permission they don't hold themselves — enforced in the database.
Scoping users to a client
When inviting (or editing a member), choose whole agency or tick specific accounts. An account-scoped user sees only those accounts' leads, reports and settings — other clients don't exist for them. This is enforced by row-level security in the database, not just hidden in the interface.
Safety rails worth knowing
- The last agency owner can't be removed or demoted.
- Every membership and permission change is audit-logged.
- Members manage their own profile (name, password) and lead-alert preferences.