← Back to Features
👥

Team & Roles

Give every team member exactly the access they need — no more, no less. Built-in RBAC means you don't have to trust everyone with everything.

Build your team free

Five roles, clear boundaries

Every user in a workspace has exactly one role, set at the workspace level — the same person can be an Admin in one workspace and a Member in another. Roles are assigned when inviting users and can be changed at any time from workspace settings.

Admin
  • Full workspace control
  • Invite, remove, and manage users
  • Assign and change roles
  • Create and delete clients & projects
  • View all users' time entries
  • Full billing & reporting access
Manager
  • Create and manage projects & tasks
  • View all team time entries
  • Access reporting
  • Cannot manage billing
  • Cannot remove users
  • Cannot change workspace settings
Accounting
  • View all time entries & reports
  • Access invoicing
  • Export financial data
  • Read-only on project structure
  • Cannot create or edit projects
  • Cannot manage users
Member
  • Log time on assigned projects
  • View own time entries
  • View project structure
  • Cannot see other users' entries
  • Cannot create or delete clients
  • No billing access
Observer
  • View projects and time entries
  • View reports (read-only)
  • Cannot log time
  • Cannot create or edit anything
  • No billing access
  • Cannot manage users
🛡️

Casbin RBAC engine

Access control is enforced server-side using the Casbin authorization library — not just UI hiding. Every API endpoint checks permissions before returning data.

📧

Invite by email

Send an invitation to any email address. The invitee registers (or logs in if they already have an account) and lands directly in your workspace with the role you assigned.

🔄

Role changes take effect immediately

Promote a Member to Admin or demote an Admin to Member at any time. The change applies on their next request — no re-login required.

🏢

Workspace-scoped

Roles apply per workspace, not per account. A consultant who's a Member in your client's workspace can be an Admin in their own agency workspace — same login, different access.

📋

Audit log

Every permission change, login, and sensitive action is recorded in the audit log. Owners can review what changed, when, and by whom.

🔐

Data isolation

Each workspace runs against its own isolated database. Even a compromised Member account in one workspace cannot see data from another tenant.

Your team. Your rules.

Set up your workspace and invite your team — free to start.

Create free workspace