How permissions work
Every role is built from a list of features — Inbox, Contacts, Leads, Workflows, and so on — and for each feature you set two things, in this order:
- Access — the checkbox next to the feature. It answers one question: can this person open this section at all? Off means the feature is invisible to them.
- Actions — the things you can do inside a feature, like Create Contact, Edit Contact, Delete Contact. These only matter once access is on.
That two-step is the whole model. The same feature can sit at four different levels depending on how you set the dials:
They can’t open this section at all.
They can open it and look, but change nothing.
They can do the actions you tick — here, create and edit but not delete.
Access plus every action in the feature.
The built-in roles
Exabloom ships with a fixed set of built-in roles you can’t edit or delete. There are two families, because there are two layers of access — your account-wide Brand and the Workspaces inside it.
Workspace roles
What someone can do inside a single workspace. New invites default to Agent.
Every feature, every action, plus the workspace’s own settings, tabs and members. The full set — 26/26 features · 22/22 actions.
The everyday rep. Full Inbox (can send), read-only on contacts, leads, calendar and workflows — so they can run a workflow but not edit it. No settings.
Look but don’t touch. Read-only across every feature, no actions anywhere — handy for an auditor or stakeholder.
Brand roles
Account-wide powers — managing users, roles, workspaces and Brand-level features. One per person.
Full account-wide access. Every Brand keeps at least one Owner, and only Owners can change someone’s Brand role.
Runs the account day-to-day: users, roles, workspaces and every Brand-level feature. The same feature access as Owner — see the note below.
No Brand-level powers at all (0/6 features). A Member only has the Workspace access you grant them — the default for most reps.
Where roles live
Roles are managed in one place: the Roles page in your Brand admin area. Open the switcher in the top-left, choose Admin Dashboard, and find Roles in the sidebar.
Control what people can see and do across your brand and its workspaces.
Built-in roles cannot be edited or deleted, but you can Clone any role to start a new custom one with its permissions already filled in.
The page has a few moving parts:
- Workspace roles / Brand roles toggle — switches which layer you’re looking at. A role belongs to one layer or the other; the two lists never mix.
- The Access column — a quick read of how much each role grants, as features · actions. A workspace has 26 features (every Settings tab counts as one) and 22 actions across them, so a full Admin reads 26/26 features · 22/22 actions.
- Clone — on every row, including built-ins. This is the fast way to make a custom role: duplicate one that’s close, then adjust.
- Edit and Delete — greyed out on built-in rows (they read “Built-in roles cannot be edited”), active on your own custom roles.
Reading the permission editor
Open any custom role (or clone a built-in) and you get the permission editor — the full feature list with the access/actions model from the first section made concrete. Here’s a workspace role mid-edit:
Conversations across channels
CRM contact records and folders
Lead records and preset filters
Automations and triggers
Open settings page (required for logout)
Activity history and audit trail
Lead pipeline stages
Reading it top to bottom:
- Inbox is on with All actions — it has a single action (send messages), so it’s either full or nothing.
- Contacts is expanded. Allow all actions is off and we’ve hand- picked Create and Edit but not Delete — so the summary reads 2/3 actions.
- Leads is on with 0/3 actions — accessible but read-only. They can browse leads, not change them.
- Workflows is off — No access. The whole section disappears for this role.
- Settings carries a padlock — it’s always on and can’t be switched off (it’s required to reach things like logout). Its individual tabs — Audit Log, Pipelines, and the rest — nest underneath and are each granted on their own.
Create a custom role
When no built-in fits, build your own. Two ways in, both from the Roles page:
- Clone a role — the icon on any row instantly duplicates it, permissions and all. Best when an existing role is almost right.
- Create role — the button top-right opens a short dialog to name the role and choose a starting point. Best when you want to start clean.
Applies to a user within a single workspace.
Templates pre-fill the permission matrix. You can edit everything after creating the role.
Auto-fills the visibility field when this role is assigned. Admins can still override per user.
The fields, in order:
- 1Scope — Workspace role or Brand role. This is fixed once created — a role can’t move between layers later, so pick the right one.
- 2Start from template — Blank — no permissions, or any existing role to copy its matrix as a starting point. Either way you edit it after.
- 3Role name and Description — what teammates will see in the role dropdown. A clear description saves you re-reading the matrix later.
- 4Recommended contact visibility (Workspace roles only) — a default that auto-fills when the role is assigned. It’s only a suggestion; see the next section.
Hit Create role and it joins the list. Open it to tune the permission editor exactly as you want — then it’s ready to assign from the user drawer like any built-in.
What a role doesn’t control
A role decides what features and actions a person gets. It deliberately stops there. Two important things are set per person, not by the role — both when you invite or edit someone:
- Contact visibility — whose contacts they see (All, Assigned + unassigned, or Assigned only). A role can recommend a default, but the real setting lives on the person and an admin can override it.
- Pipeline access — which pipelines in a workspace they can work. Also per person, not baked into the role.
Roles to copy
Four custom roles worth building. Each starts by cloning a built-in, then changing just a dial or two.
A rep you trust to create and edit, but who should never delete a contact or lead. The classic reason to leave the built-ins behind.
A frontline messenger who lives in the Inbox and nothing else — no contacts, leads, or workflows cluttering their view.
A manager or stakeholder who should read analytics and leads but touch nothing. Like Viewer, but trimmed to just what they review.
A Brand-level operator who manages knowledge, exports and links across the account, but shouldn’t add or remove people.
Good to know & pitfalls
- Access on, zero actions is read-only — not locked. To hide a feature, untick the feature itself. Leaving it on with no actions still lets people open and browse it.
- Bulk Actions can bypass a feature’s own limits. Bulk delete, update and message are gated separately from the per-record actions — so withhold a destructive action in both the feature (Contacts, Leads) and Bulk Actions, not just one.
- Built-ins can’t be edited — clone them. Admin, Agent, Viewer, Owner and Member are fixed. To tweak one, Clone it into a custom role and edit the copy.
- Scope is permanent. A role is a Workspace role or a Brand role for life. If you pick wrong, recreate it under the right scope — there’s no move.
- Owner’s special powers aren’t in the matrix. Changing Brand roles and the last-Owner safeguard are built in, so a custom role cloned from Owner won’t inherit them.
- A role doesn’t set visibility or pipelines. Those are per-person. The role’s “recommended visibility” only pre-fills the field; admins still set it on each teammate.
- Settings can’t be switched off. The Settings umbrella is always on so people can reach essentials like logout — but you control each Settings tab underneath it individually.
- Check who’s on a role before deleting it. Removing a custom role affects everyone currently assigned to it, so reassign them to another role first.
Need a hand?
Our Singapore-based team is one message away — happy to help you get set up.