Define exactly what each role can see, create, edit, and delete across every module — not just the modules you've turned on today but the ones you'll add tomorrow. Roles are shared across the platform's single permission graph, so a Finance role that restricts invoicing access applies automatically when you toggle on a new accounting module, with no separate permission setup required.
No add-on tiers, no feature gates — this is what the module ships with, included in every plan.
Create as many custom roles as the organisation needs — department-level, project-level, or contractor-level — each with its own permission matrix across all active modules.
Permissions can be set per module and per action type — read, create, update, delete — so a support agent can close tickets but not access HR records or invoices.
When you toggle on a new module, existing role definitions apply as the permission baseline; you review and extend rather than configure from scratch.
Roles map directly to IdP groups via SSO so new team members arrive with the correct permissions on first login, without a manual provisioning step.
On Agency and Enterprise tiers, define tenant-level roles for the businesses you provision — each client workspace gets its own isolated permission set without cross-contamination.
Every role grant, revocation, or permission edit is written to the platform audit log with the acting user, timestamp, and before/after state.
Start free with VCard & Link-in-Bio. Turn on Custom roles & perms and the rest of the catalog from one flat plan — no per-seat fee, ever.