Help Center
Customising your workspaceAdmin only12 min read

Roles & permissions

A role is a saved set of permissions you hand to people. This guide is the model underneath it: how access and actions fit together, what the built-in roles really grant, and how to build a custom role that allows exactly what you intend — no more, no less.
You probably don’t need a custom role
The three built-in Workspace roles — Admin, Agent and Viewer — cover almost every team. Custom roles are for the in-between case the built-ins miss (say, “can edit but never delete”). Read the first two sections, and if a built-in fits, you’re done. This guide is the companion to Invite your team & manage roles, which covers assigning roles to people.

How permissions work

Every role is built from a list of features — Inbox, Contacts, Leads, Workflows, and so on — and for each feature you set two things, in this order:

  • Access — the checkbox next to the feature. It answers one question: can this person open this section at all? Off means the feature is invisible to them.
  • Actions — the things you can do inside a feature, like Create Contact, Edit Contact, Delete Contact. These only matter once access is on.

That two-step is the whole model. The same feature can sit at four different levels depending on how you set the dials:

No accessNo access
Contactsaccess
Create contact
Edit contact
Delete contact

They can’t open this section at all.

Read-only0/3 actions
Contactsaccess
Create contact
Edit contact
Delete contact

They can open it and look, but change nothing.

Some actions2/3 actions
Contactsaccess
Create contact
Edit contact
Delete contact

They can do the actions you tick — here, create and edit but not delete.

Full accessAll actions
Contactsaccess
Create contact
Edit contact
Delete contact

Access plus every action in the feature.

Access is the gate; actions are what they can change once inside. Turning access on with zero actions is how you make a section read-only.
Access on, zero actions = read-only
This trips people up. Ticking a feature on but leaving every action unchecked doesn’t lock the feature — it makes it read-only. The editor shows that as 0/3 actions, not “No access”. To hide a feature entirely, untick the feature itself.
A shortcut: Allow all actions
Each feature has an Allow all actions toggle. Ticking the feature on turns every action on for you; flip Allow all actions off to start hand-picking. Tick every action by hand and it re-checks itself.

The built-in roles

Exabloom ships with a fixed set of built-in roles you can’t edit or delete. There are two families, because there are two layers of access — your account-wide Brand and the Workspaces inside it.

Workspace roles

What someone can do inside a single workspace. New invites default to Agent.

Admin Built-in

Every feature, every action, plus the workspace’s own settings, tabs and members. The full set — 26/26 features · 22/22 actions.

Agent Built-in

The everyday rep. Full Inbox (can send), read-only on contacts, leads, calendar and workflows — so they can run a workflow but not edit it. No settings.

Viewer Built-in

Look but don’t touch. Read-only across every feature, no actions anywhere — handy for an auditor or stakeholder.

The three built-in Workspace roles, by what they actually grant.

Brand roles

Account-wide powers — managing users, roles, workspaces and Brand-level features. One per person.

Owner Built-in

Full account-wide access. Every Brand keeps at least one Owner, and only Owners can change someone’s Brand role.

Admin Built-in

Runs the account day-to-day: users, roles, workspaces and every Brand-level feature. The same feature access as Owner — see the note below.

Member Built-in

No Brand-level powers at all (0/6 features). A Member only has the Workspace access you grant them — the default for most reps.

The three built-in Brand roles. Most teammates stay on Member.
Owner and Admin grant the same features
At the permission level, the built-in Owner and Admin Brand roles are identical — both have full access to every Brand feature. The things only an Owner can do — change another person’s Brand role and never be the last Owner removed — are built-in safeguards, not switches in the permission matrix. So cloning Owner won’t hand those powers to a custom role.

Where roles live

Roles are managed in one place: the Roles page in your Brand admin area. Open the switcher in the top-left, choose Admin Dashboard, and find Roles in the sidebar.

Roles

Control what people can see and do across your brand and its workspaces.

Create role
Workspace rolesBrand roles
What’s the difference?
Search roles…
RoleDescriptionKindAccessActions
AdminFull access to the org — settings, users, and every feature. Built-in26/26 features · 22/22 actions
AgentInbox, contacts, leads, workflows (run, not edit). Built-in8/26 features · 1/22 actions
ViewerRead-only access to every feature in the org. Built-in9/26 features · 0/22 actions
Customer SuccessWorks the inbox and contacts; can edit but never delete.Custom6/26 features · 8/22 actions

Built-in roles cannot be edited or deleted, but you can Clone any role to start a new custom one with its permissions already filled in.

The Roles page. Toggle between Workspace and Brand roles; built-ins are locked, custom roles you create sit alongside them.

The page has a few moving parts:

  • Workspace roles / Brand roles toggle — switches which layer you’re looking at. A role belongs to one layer or the other; the two lists never mix.
  • The Access column — a quick read of how much each role grants, as features · actions. A workspace has 26 features (every Settings tab counts as one) and 22 actions across them, so a full Admin reads 26/26 features · 22/22 actions.
  • Clone — on every row, including built-ins. This is the fast way to make a custom role: duplicate one that’s close, then adjust.
  • Edit and Delete — greyed out on built-in rows (they read “Built-in roles cannot be edited”), active on your own custom roles.

Reading the permission editor

Open any custom role (or clone a built-in) and you get the permission editor — the full feature list with the access/actions model from the first section made concrete. Here’s a workspace role mid-edit:

Inbox

Conversations across channels

All actions
Contacts

CRM contact records and folders

2/3 actions
Create Contact
Edit Contact
Delete Contact
Leads

Lead records and preset filters

0/3 actions
Workflows

Automations and triggers

No access
Settings

Open settings page (required for logout)

Enabled
Settings/Audit Log

Activity history and audit trail

Enabled
Settings/Pipelines

Lead pipeline stages

No access
The permission editor. Each row is a feature; the checkbox is access; expand a row to reveal its actions. The summary on the right tells you the state at a glance.

Reading it top to bottom:

  • Inbox is on with All actions — it has a single action (send messages), so it’s either full or nothing.
  • Contacts is expanded. Allow all actions is off and we’ve hand- picked Create and Edit but not Delete — so the summary reads 2/3 actions.
  • Leads is on with 0/3 actions — accessible but read-only. They can browse leads, not change them.
  • Workflows is off — No access. The whole section disappears for this role.
  • Settings carries a padlock — it’s always on and can’t be switched off (it’s required to reach things like logout). Its individual tabs — Audit Log, Pipelines, and the rest — nest underneath and are each granted on their own.
Features without actions just say “Enabled”
A handful of features have no actions of their own — the Settings tabs, and Analytics. For those, access is the whole story, so the summary reads Enabled or No access rather than a count.
Bulk Actions is a separate gate — mind the overlap
A few actions exist in two features at once, and the two don’t check each other. Deleting contacts is the one to watch: Contacts has Delete Contact, while Bulk Actions has its own Perform Bulk Action Delete Contact. Turn delete off under Contacts but leave it on under Bulk Actions, and that person still can’t delete a contact from its row — yet they can select many and delete them in one bulk run. So when you withhold a destructive action, switch it off in both features, or you’ve left a side door open. The same overlap covers bulk field-updates and bulk messaging.

Create a custom role

When no built-in fits, build your own. Two ways in, both from the Roles page:

  • Clone a role — the icon on any row instantly duplicates it, permissions and all. Best when an existing role is almost right.
  • Create role — the button top-right opens a short dialog to name the role and choose a starting point. Best when you want to start clean.
Create role
Scope
Workspace role

Applies to a user within a single workspace.

Start from template
Agent (Built-in)

Templates pre-fill the permission matrix. You can edit everything after creating the role.

Role name
e.g. Customer Success
Description
What does this role do?
Recommended contact visibility
Assigned + unassigned

Auto-fills the visibility field when this role is assigned. Admins can still override per user.

CancelCreate role
The Create role dialog. It sets the role up; you fine-tune the actual permissions in the editor afterwards.

The fields, in order:

  1. 1Scope Workspace role or Brand role. This is fixed once created — a role can’t move between layers later, so pick the right one.
  2. 2Start from template Blank — no permissions, or any existing role to copy its matrix as a starting point. Either way you edit it after.
  3. 3Role name and Description — what teammates will see in the role dropdown. A clear description saves you re-reading the matrix later.
  4. 4Recommended contact visibility (Workspace roles only) — a default that auto-fills when the role is assigned. It’s only a suggestion; see the next section.

Hit Create role and it joins the list. Open it to tune the permission editor exactly as you want — then it’s ready to assign from the user drawer like any built-in.

What a role doesn’t control

A role decides what features and actions a person gets. It deliberately stops there. Two important things are set per person, not by the role — both when you invite or edit someone:

  • Contact visibility — whose contacts they see (All, Assigned + unassigned, or Assigned only). A role can recommend a default, but the real setting lives on the person and an admin can override it.
  • Pipeline access — which pipelines in a workspace they can work. Also per person, not baked into the role.
Two people, same role, different reach
Because visibility and pipelines ride on the person, two teammates on the exact same role can still see different contacts. If a rep should only see their own customers, set Assigned only on them — choosing a “smaller” role won’t do it. Invite your team & manage roles covers those per-person dials in full.

Roles to copy

Four custom roles worth building. Each starts by cloning a built-in, then changing just a dial or two.

1 · Editor, never deleter

A rep you trust to create and edit, but who should never delete a contact or lead. The classic reason to leave the built-ins behind.

WorkspaceClone: AdminKeep Create + EditUntick all Delete
2 · Inbox-only agent

A frontline messenger who lives in the Inbox and nothing else — no contacts, leads, or workflows cluttering their view.

WorkspaceStart blankInbox: onEverything else: off
3 · Reporting viewer

A manager or stakeholder who should read analytics and leads but touch nothing. Like Viewer, but trimmed to just what they review.

WorkspaceClone: ViewerAnalytics + Leads: readUntick the rest
4 · Brand ops, no user control

A Brand-level operator who manages knowledge, exports and links across the account, but shouldn’t add or remove people.

BrandClone: AdminKeep Brand featuresUser Management: off

Good to know & pitfalls

  • Access on, zero actions is read-only — not locked. To hide a feature, untick the feature itself. Leaving it on with no actions still lets people open and browse it.
  • Bulk Actions can bypass a feature’s own limits. Bulk delete, update and message are gated separately from the per-record actions — so withhold a destructive action in both the feature (Contacts, Leads) and Bulk Actions, not just one.
  • Built-ins can’t be edited — clone them. Admin, Agent, Viewer, Owner and Member are fixed. To tweak one, Clone it into a custom role and edit the copy.
  • Scope is permanent. A role is a Workspace role or a Brand role for life. If you pick wrong, recreate it under the right scope — there’s no move.
  • Owner’s special powers aren’t in the matrix. Changing Brand roles and the last-Owner safeguard are built in, so a custom role cloned from Owner won’t inherit them.
  • A role doesn’t set visibility or pipelines. Those are per-person. The role’s “recommended visibility” only pre-fills the field; admins still set it on each teammate.
  • Settings can’t be switched off. The Settings umbrella is always on so people can reach essentials like logout — but you control each Settings tab underneath it individually.
  • Check who’s on a role before deleting it. Removing a custom role affects everyone currently assigned to it, so reassign them to another role first.

Need a hand?

Our Singapore-based team is one message away — happy to help you get set up.