Roles & Permissions
ACOS uses a nine-role permission system built on atomic permissions. Each role grants a precise set of capabilities — from contractors who can only log their own time, to owners who have full access including billing.
The Nine Roles
Founder, director, or subscription account holder
Complete access including billing, subscription management, and plan changes. Exactly one per organization.
Operations manager, senior director
Full operational access: all modules, org settings, team management, financial dashboard. No billing access.
Project managers, delivery leads
Full project and task ownership. Can view team time, manage resources, create invoices. Limited CRM access.
Account managers, client leads
Full CRM access: deals, contacts, proposals, pipeline. Can create projects and invoices. No org-wide finance dashboard.
Finance leads, bookkeepers, ops
All invoicing, expenses, retainers, and financial dashboard. Read-only on projects. No CRM or team management.
Sales reps, BDRs
Full CRM access: deals, contacts, proposals. Cannot create projects, invoices, or access financial data.
Senior engineers, tech leads
Can view all projects and team time. Can manage tasks and log time. No CRM or finance access.
Developers, designers, writers
Log own time, complete assigned tasks, see assigned projects. No access to financial or CRM data.
Freelancers, external contributors
Log own time only. Can view own time entries. No project visibility beyond what is explicitly shared.
There is exactly one Owner per organization. The Owner role cannot be assigned through the settings UI — contact support to transfer ownership.
Collaborator Seat (Free plan)
On the Free plan, one team member can be designated as a Collaborator. A collaborator is not a separate role — it is a flag on any role that restricts access to three permissions only: log own time, view own time, and receive notifications.
Collaborator seats do not count against your paid seat quota. They are intended for occasional contributors (e.g., a part-time contractor or junior hire) who only need to log time on assigned work.
Paid plans (Starter and above) do not use collaborator seats — all team members get full role access with no restrictions.
Permission Matrix
CRM
| Action | Contractor | Member | Team Lead | Sales | Finance Mgr | Account Mgr | Project Mgr | Admin | Owner |
|---|---|---|---|---|---|---|---|---|---|
| View contacts & deals | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Create/edit contacts | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/delete deals | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Create/send proposals | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Manage pipeline stages | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
Projects & Tasks
| Action | Contractor | Member | Team Lead | Sales | Finance Mgr | Account Mgr | Project Mgr | Admin | Owner |
|---|---|---|---|---|---|---|---|---|---|
| View all projects | ✗ | ✗ | ✓ | ✗ | ✓ (read) | ✓ | ✓ | ✓ | ✓ |
| Create/edit projects | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Delete projects | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| View assigned project | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/complete tasks | ✗ | ✓ (assigned) | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Delete tasks | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| Add task comments | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
Time Tracking
| Action | Contractor | Member | Team Lead | Sales | Finance Mgr | Account Mgr | Project Mgr | Admin | Owner |
|---|---|---|---|---|---|---|---|---|---|
| Log own time | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| View own time entries | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| View team time (project-scoped) | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| View all org time entries | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ |
| Edit historical entries | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
Finance & Invoicing
| Action | Contractor | Member | Team Lead | Sales | Finance Mgr | Account Mgr | Project Mgr | Admin | Owner |
|---|---|---|---|---|---|---|---|---|---|
| View invoice list | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/send invoices | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Mark invoice paid | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View/create retainers | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View/create expenses | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Org-wide finance dashboard | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ |
Reporting & Insights
| Action | Contractor | Member | Team Lead | Sales | Finance Mgr | Account Mgr | Project Mgr | Admin | Owner |
|---|---|---|---|---|---|---|---|---|---|
| Project profitability report | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Revenue report | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ |
| Pipeline forecast | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Smart alerts & AI queries | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
Settings & Organization
| Action | Contractor | Member | Team Lead | Sales | Finance Mgr | Account Mgr | Project Mgr | Admin | Owner |
|---|---|---|---|---|---|---|---|---|---|
| Edit own profile | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View team member list | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Invite / deactivate members | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Change member roles | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Edit org name / logo / timezone | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| View billing & subscription | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Upgrade / downgrade plan | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
Permission Enforcement
Permissions are enforced at the API level — not just in the UI. Every endpoint checks the authenticated user's role against the required permission atom before executing any query. A team member cannot access restricted data even by making direct API calls.
The UI additionally hides inaccessible actions (buttons, tabs, nav items) for a cleaner experience, but the API layer is authoritative.
Org scoping
Every API query is scoped to the authenticated user's organization_id. It is technically impossible for a user to access another organization's data — every database query includes WHERE organization_id = {user.organization_id}.
Choosing the Right Role
Quick guide
- Developers and designers who only log time → Member (or Contractor if external)
- Tech leads who need to see the full project and team utilization → Team Lead
- People who own client relationships and deals → Account Manager
- People who own project delivery end-to-end → Project Manager
- SDRs and BDRs focused on pipeline → Sales
- Finance / ops roles managing invoices and reporting → Finance Manager
- Anyone who configures the workspace and manages team access → Admin
- The founder or subscription account holder → Owner (one only)
Limit the number of Admin users. Every Admin has near-complete operational access and can see all financial data. A typical 20-person agency needs 2–3 Admins at most.
FAQ
Can I have more than one Owner?
No. There is exactly one Owner per organization. If you need multiple people with near-Owner access, use the Admin role — they get everything except billing management.
A team member can't see a project they should have access to.
Members and Contractors can only see projects they are explicitly added to. Go to the project → Settings → Team and add them. For Team Leads and above, check their assigned role in Settings → Team.
Can I create custom roles?
Custom roles are not currently supported. The nine standard roles cover the organizational structures of service companies. Contact support if you have a specific use case that doesn't fit.
How do I change a team member's role?
Go to Settings → Team. Click the role badge next to the team member's name and select the correct role. The change takes effect immediately — the member may need to refresh their browser.
Do deactivated accounts count against my seat limit?
No. Deactivated users are not counted against your seat limit. Only active users count.
What is a collaborator seat?
A collaborator is a special Free-plan seat restricted to time logging and notifications only. Paid plans do not use collaborator seats — all members get their full role access.