Configure team access levels, create custom roles, and understand how XeroFlow enforces permissions across the platform.
10 min read
XeroFlow has 15 built-in roles that range from owner with full platform control down to guest with read-only access to specific boards. Each role determines what a user can see and do across the entire platform — sidebar visibility, page access, and API-level permissions.
The hierarchy runs: owner → admin → manager → department heads (finance, creative, media) → team leads → members → viewers → guests. Higher roles inherit all permissions from the levels below them, so an admin can do everything a manager can, plus admin-specific actions like managing users and configuring integrations.
Create custom roles when the built-in ones don't match your organisation's structure. Navigate to Admin → Permissions to see the full role matrix. Custom roles inherit a base permission level and let you toggle specific areas on or off, giving you fine-grained control without starting from scratch.
Common examples include a "Junior Buyer" role that grants media access but blocks budget editing, or a "Freelancer" role that provides board access without any visibility into financials. Custom roles appear alongside built-in roles in the user management interface.
XeroFlow defines over 15 permission areas that can be independently granted or restricted per role: finance, creative, media, clients, admin, boards, chat, time tracking, AI, reports, and more.
Finance permissions control access to invoices, expenses, P&L reports, and EOM processing. Creative permissions control briefs, banner studio, and ad tools. Each permission area maps to specific sidebar sections, page routes, and API endpoints — ensuring consistent enforcement regardless of how a user attempts to access a feature.
Permissions are enforced at three distinct layers, creating a defence-in-depth model. Layer 1: Server middleware blocks unauthorised API calls before they reach your data. Layer 2: Route middleware redirects users away from pages they cannot access. Layer 3: Sidebar gating hides navigation items for restricted areas, so users never see links to pages they cannot reach.
Instant Enforcement
Changes take effect immediately — no restart required. External webhooks (Xero, Meta) and internal workers are exempt from RBAC, so integrations continue working regardless of user-level permissions.
Navigate to Admin → Users to see all team members. From this page you can change roles, invite new users, and deactivate accounts. User cards display role badges and permission summaries so you can quickly audit who has access to what.
Bulk role changes are supported for team restructuring. Select multiple users and assign a new role in one operation. The system applies the change immediately across all three enforcement layers.
Start with built-in roles before creating custom ones. The 15 default roles cover the most common agency structures. Only create custom roles when you have a specific need that the defaults don't satisfy.
Apply the principle of least privilege — give users only the access they need. Review permissions quarterly to catch role drift. When rolling out a new custom role, create a test user first and verify access before assigning it to real team members.