Module Permissions
Control role-based access to module records and actions
Module Permissions
The Permissions tab displays a matrix showing which roles have access to perform actions on records in this module. Use this to understand and configure who can view, create, edit, and delete records.
What are Module Permissions?
Module permissions control what users can do with records based on their role. Each permission combines:
- A module (e.g., Contacts, Deals)
- An action (e.g., view, create, edit, delete)
- A role (e.g., Admin, Sales Rep, Viewer)
This creates fine-grained access control so you can, for example, allow Sales Reps to create and edit Deals but not delete them.
Accessing the Permissions Tab
- Go to Settings > Modules
- Select your module
- Click the Permissions tab
The Permission Matrix
The matrix shows:
- Columns: Available roles in your workspace
- Rows: Actions that can be performed on records
- Cells: Toggle switches indicating whether the role has permission
Standard Actions
For modules with record support, these actions are available:
| Action | Description |
|---|---|
| View | Read record details |
| List | See records in list views |
| Create | Add new records |
| Edit | Modify existing records |
| Delete | Remove records |
Custom Actions
If the module has custom actions defined (see Actions tab), those actions also appear in the permission matrix with their configured labels.
Modifying Permissions
Toggle a Permission
- Find the intersection of the role (column) and action (row)
- Click the toggle switch
- Changes save automatically
Switch ON: Role can perform this action Switch OFF: Role cannot perform this action
Understanding Permission Inheritance
Some permissions may be inherited from:
- Super Admin role: Has all permissions by default
- Parent roles: If your workspace uses role hierarchies
Inherited permissions may appear differently (often as always-on or locked toggles).
Permission Levels
No Access
Role has no permissions for this module. Users with this role:
- Cannot see the module in navigation
- Cannot access any records
- Cannot perform any actions
View Only
Role can only view and list records. Users cannot:
- Create new records
- Edit existing records
- Delete records
Create & Edit
Role can view, list, create, and edit, but cannot delete. This is common for regular team members.
Full Access
Role has all permissions including delete. Typically reserved for administrators.
Common Permission Configurations
Sales Team Deals Access
| Role | View | List | Create | Edit | Delete |
|---|---|---|---|---|---|
| Sales Rep | ✓ | ✓ | ✓ | ✓ | ✗ |
| Sales Manager | ✓ | ✓ | ✓ | ✓ | ✓ |
| Viewer | ✓ | ✓ | ✗ | ✗ | ✗ |
Support Tickets Access
| Role | View | List | Create | Edit | Delete |
|---|---|---|---|---|---|
| Support Agent | ✓ | ✓ | ✓ | ✓ | ✗ |
| Customer | ✓ | ✓ | ✓ | ✗ | ✗ |
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ |
Sensitive Data Access
| Role | View | List | Create | Edit | Delete |
|---|---|---|---|---|---|
| HR Manager | ✓ | ✓ | ✓ | ✓ | ✓ |
| Department Head | ✓ | ✓ | ✗ | ✗ | ✗ |
| Employee | ✗ | ✗ | ✗ | ✗ | ✗ |
Field-Level Privacy
In addition to module-level permissions, each field has a Privacy setting that controls visibility:
| Level | Description |
|---|---|
| Account | All workspace members can see this field |
| Role | Only specified roles can see this field |
| Private | Only record owner/creator can see this field |
Field privacy is configured in the Fields tab, not the Permissions tab.
Record-Level Visibility
Beyond permissions, records themselves can have visibility settings:
- Account: Visible to all workspace members
- Team: Visible only to specific teams
- Private: Visible only to the record owner
These work together with module permissions - users need both module access AND record visibility to see a record.
Special Roles
Super Admin
Super Admins have full access to all modules and records. Their permissions cannot be restricted at the module level.
Owner
The workspace Owner role typically has full access by default.
Builder
The Builder role can configure modules but may have restricted access to record data, depending on configuration.
Best Practices
Principle of Least Privilege
Start with minimal permissions and add more as needed:
- Begin with View/List only
- Add Create when users need to add records
- Add Edit when users need to modify records
- Add Delete only when absolutely necessary
Separate Duties
Use different roles for different responsibilities:
- Viewers for reporting access
- Editors for day-to-day work
- Managers for full control
- Admins for sensitive operations
Audit Regularly
Periodically review the permission matrix to ensure:
- Users have appropriate access
- Former employees' access is revoked
- New team members have correct permissions
Document Your Decisions
Add notes or documentation about why certain permissions are configured:
- Why can't Sales Reps delete Deals? (Data integrity)
- Why can Customers only create Tickets? (Self-service model)
Troubleshooting
"Permission denied" Errors
If a user sees this error:
- Check their role in the permission matrix
- Verify the action they're attempting is enabled
- Check record-level visibility settings
- Verify field-level privacy if accessing specific data
User Can't See a Module
The user's role needs at least View and List permissions for the module to appear in navigation.
Changes Not Taking Effect
Permission changes apply immediately, but users may need to refresh their browser to see updated access.
Related: Module Builder Guide | Sharing & Permissions