Roles & permissions
Every member of a team has a role. Roles are fixed: OWNER, ADMIN, MEMBER. They control who can manage billing, invite teammates, change settings, and trigger destructive actions.
The matrix
Section titled “The matrix”| Action | OWNER | ADMIN | MEMBER |
|---|---|---|---|
| Use Track / Invoices | ✅ | ✅ | ✅ |
| Invite a member | ✅ | ✅ | ❌ |
| Cancel a pending invite | ✅ | ✅ | ❌ |
| Remove a MEMBER or ADMIN | ✅ | ✅ | ❌ |
| Remove an OWNER | ✅ | ❌ | ❌ |
| Promote MEMBER → ADMIN | ✅ | ✅ | ❌ |
| Promote → OWNER | ✅ | ❌ | ❌ |
| Demote OWNER → ADMIN | ✅ (not last OWNER) | ❌ | ❌ |
| Manage billing & seats | ✅ | ✅ | ❌ |
| Cancel subscription | ✅ | ✅ | ❌ |
| Edit team settings (name, currency, address, bank) | ✅ | ❌ | ❌ |
| Create / revoke API keys | ✅ | ✅ | ❌ |
| Leave the team | ✅ (not last OWNER) | ✅ | ✅ |
| Delete the team | ✅ | ❌ | ❌ |
A few things this matrix is enforcing:
- A team always has ≥ 1 OWNER. The platform refuses to demote the last OWNER or let them leave.
- You can’t change your own role. Ask a teammate.
- ADMINs can’t touch OWNERs. They can manage day-to-day operations but not the people who own the team.
Picking a role to invite at
Section titled “Picking a role to invite at”When you send an invite, you pick the recipient’s role. A few defaults that work well:
- MEMBER — most teammates. They can use the apps, log time, send invoices, but not change billing or kick people out.
- ADMIN — your bookkeeper or operations lead. Same powers as you minus deleting the team and minus modifying OWNERs.
- OWNER — co-founders, business partners. Hand this out sparingly.
You can always change someone’s role later from the Members page.
Changing someone’s role
Section titled “Changing someone’s role”- Open Members in the header.
- Click the edit (pencil) icon on their row.
- Pick a new role and click Update Role.
If a role is grayed out in the dropdown, your own role doesn’t permit that change — see the matrix above.
The change is effective immediately on the server. The affected teammate sees their new permissions next time they reload.
Reading what a role grants
Section titled “Reading what a role grants”Need a one-liner explanation for somebody?
- OWNER: “Can do anything in this team, including delete it.”
- ADMIN: “Runs day-to-day for the team — billing, members, integrations — but can’t delete the team or touch other OWNERs.”
- MEMBER: “Uses the apps. Doesn’t see billing or member admin.”