Roles and permissions

5 min read · Updated 3 Jun 2026

WBSync ships nine built-in roles for the trades — from Owner down to Operative — and a custom role editor that lets you compose your own from 25 granular permissions and scope them to a single project. Every change is audited.

The nine built-in roles

Pick the closest role when you invite someone; refine later. Each is a curated set of permissions, not a label.

  • Owner — everything, including billing. There's always exactly one ultimate owner.
  • Admin — everything except managing billing and deleting the company.
  • Project Manager — run projects end-to-end: log and approve hours, edit the WBS and budgets, manage the team, see rates and commercial data.
  • Project Planner — build and import the WBS, edit budgets, see rates — no approvals.
  • Engineer — log own hours, view and edit the WBS structure.
  • Commercial / QS — rates, commercial data, budgets and claims, without touching labour approvals.
  • Supervisor & Foreman — the on-site pair: log hours for the crew, approve them, manage operatives.
  • Operative — log their own hours, see their own dashboard. Nothing else.
25 permissions view rates · approve edit WBS · manage team tick the ones you want + Scope whole company or one project = Your role "Senior QS", "Site lead"…

Build a custom role

1
Open Settings → Roles → New role

Owners and Admins only. Start from scratch, or clone a built-in role and tweak it — cloning copies its whole permission set as a starting point.

2
Tick the permissions

The 25 permissions are grouped into eight areas — viewing, labour, WBS, team, roles, projects, company and claims. Examples: View €/hr rates & cost metrics, Approve / reject labour entries, Edit WBS budgets, Import / export WBS.

3
Save, then assign it

Assign the role to a person from the directory. You can scope an assignment to a single project — a "Senior QS on Plot 17 only" — and even set it to expire on a date for short-term cover.

Sensitive permissions are protected. Five permissions — changing other people's roles, building custom roles, deleting projects, deleting the company, and managing billing — are flagged sensitive. They can't be added to a tenant-built custom role, so a custom role can never quietly escalate itself to billing or company-deletion rights.

How WBSync decides what you can do

Your effective permissions are the union of your base role and every active role assignment you hold. A project-scoped assignment only counts when you're looking at that project, so the same person can be a Foreman company-wide and a stand-in PM on one job. Owners and Admins short-circuit to "everything".

Custom roles are available on every tier — there's no paywall on getting your access model right. Every create, edit and assignment is written to a dedicated role-change audit log.

What next?

Going further on access control? Wire up your identity provider: Single Sign-On →

Frequently asked

Do custom roles cost extra?

No. The custom role editor is available on every tier, including the trial. There's no paywall on setting up your access model properly.

Can someone build a role that gives them billing access?

No. Five permissions are flagged sensitive — including managing billing and deleting the company — and they can't be added to a tenant-built custom role. Only an Owner can grant those, through the built-in roles.

Can a person have different access on different projects?

Yes. Role assignments can be scoped to a single project, so the same person can be, say, a Foreman company-wide and a stand-in PM on one job. Effective access is the union of all their active assignments.

Can I give someone access just for a few weeks?

Yes — a role assignment can carry an expiry date, after which it automatically stops applying. Handy for short-term cover or contractors.

Related

Sign up and start your 30-day trial
Getting started · 3 min
The audit log: who changed what
Team & access · 3 min
Single Sign-On — overview
Single Sign-On · 3 min