Roles, Permissions, and Security

Guides & Tips
, , , ,
1

Controlling who can see and do what in your Exoserva account is critical for security and operational efficiency. The Roles and Permissions system lets you assign granular access levels to every team member. This guide covers the built-in roles, how permissions work, and security settings to protect your account.

:clock1: Estimated time: 8 minutes

Before You Begin

  • An active Exoserva account with Owner or Admin role
  • Understanding of your team structure and access requirements

Step 1: Navigate to Roles and Permissions

Click “Settings” in the left sidebar, then click the “Roles & Permissions” card (settings icon) under the Organization category. The Settings page uses a categorized sidebar navigation with four groups: Organization (blue accent), Operations (emerald accent), Personal (purple accent), and System (purple accent). You can also press the keyboard shortcut shown in the search field (displayed as a key badge) to quickly search for “Roles” and jump directly to this section.

The Roles & Permissions section opens with two tabs at the top: “Roles & Permissions” (the default, highlighted in the primary blue color) and “Approval Levels (R-Levels)” (for configuring financial approval tiers). The active tab button appears with a filled primary background, while the inactive tab shows grey text that highlights on hover. Below the tabs, a heading reads “Roles” with the subtext “Manage roles and their permissions,” and a “Create Role” button (plus icon) sits in the top-right corner.

Step 1: Navigate to Roles and Permissions
Step 1: Navigate to Roles and Permissions1440×900 153 KB

:bulb: Tip: Use the Settings search bar (keyboard shortcut shown as a key badge in the input) to quickly navigate to any settings section. Type “roles” or “permissions” and the matching section will be highlighted.

Step 2: Understand Built-In Roles

The Roles list displays all available roles as GlassCard items, each showing the role display name in white text, optional badges, a description, and a preview of assigned permissions. Built-in system roles display a blue “System” badge, and the default role shows a green “Default” badge. The predefined roles are: Owner (full access to all features), Admin (administrative access with full management capabilities), Manager (team and financial management), Dispatcher (scheduling and assignment operations), Property Manager (property management focus), Technician (field work only with limited access), and Viewer (read-only access to assigned data).

Each role card shows up to 5 permission tags as small grey rounded badges (e.g., “jobs:view,” “customers:edit,” “settings:manage”). If a role has more than 5 permissions, a “+N more” badge appears indicating the total count. System roles cannot be deleted (the delete button does not appear for them), but they can be edited to adjust their permission set. Click the pencil icon button on any role card to open the role editor.

Step 2: Understand Built-In Roles
Step 2: Understand Built-In Roles1440×900 161 KB

:bulb: Tip: Start with the built-in roles before creating custom ones. They cover the most common team structures in field service businesses and are maintained by Exoserva to include appropriate default permissions for new features.

:warning: Warning: System roles (marked with the blue “System” badge) are shared across all Exoserva accounts. While you can edit their permissions for your tenant, be cautious about removing core permissions that your team may rely on.

Step 3: Review the Permission Matrix

Click the pencil (edit) icon on any role card to open the role editor modal. The modal displays the role name, description, and a comprehensive permission matrix organized by category. The permission categories are: Jobs & Work Orders (job lifecycle operations), Properties (property management), Work Orders (work order specific operations), Team Management (user and staff operations), Settings (system configuration), Analytics & Reports (reporting and dashboards), Billing & Payments (invoicing and financial operations), Customers (customer record management), Inventory (parts and supplies), Scheduling (calendar and dispatch), and Communications (messaging and notifications).

Within each category, individual permissions are listed with their display name and description. Each permission follows the format “resource:action” (for example, “jobs:view,” “jobs:create,” “jobs:edit,” “jobs:delete”). Checkboxes next to each permission indicate whether the role includes that access. Toggle checkboxes to add or remove individual permissions from the role, then click “Save” to apply changes.

Step 3: Review the Permission Matrix
Step 3: Review the Permission Matrix1440×900 155 KB

:bulb: Tip: The permission categories correspond to the main navigation sections of Exoserva. If a team member reports they cannot access a feature, find the matching category in the permission matrix and verify the relevant permission is enabled for their role.

:warning: Warning: Be cautious when granting “delete” permissions. Deleted records (jobs, customers, properties) may not be recoverable. Consider giving Edit access without Delete for most roles, reserving Delete for Owner and Admin roles only.

Step 4: Create a Custom Role

Click the “Create Role” button (plus icon) at the top of the Roles list. The role creation modal opens with fields for Role Name (text, required – the internal identifier), Display Name (text – the name shown in the UI), and Description (textarea – explains the role’s purpose). Below these fields, the full permission matrix appears with all categories and individual permissions, all unchecked by default.

Alternatively, scroll down to the “Quick Start Templates” section below the roles list. Templates are displayed as clickable GlassCard items in a responsive grid (1 column on mobile, up to 5 on extra-large screens). Available templates include: Viewer (read-only access), Field Technician (field work permissions), Office Staff (administrative and scheduling permissions), Operations Manager (team and operations management), and Full Administrator (complete access). Each template card shows its display name, a description, and a permission count (e.g., “24 permissions”). Click a template to open the role editor pre-populated with that template’s permissions, which you can then customize before saving.

:bulb: Tip: Follow the principle of least privilege: start with a restrictive template like “Viewer” and add permissions incrementally. It is easier to grant additional access than to audit and revoke permissions that were too broad from the beginning.

:warning: Warning: Custom role names must be unique within your tenant. If you try to save a role with a name that already exists, you will see an error. Use descriptive names like “Senior Technician” or “Office Coordinator” that clearly communicate the role’s purpose.

Step 5: Configure Approval Levels (R-Levels)

Click the “Approval Levels (R-Levels)” tab at the top of the Roles & Permissions section. This system defines financial approval tiers that control who can approve jobs and expenditures up to certain dollar amounts. The R-Levels are displayed in two formats: a card view on mobile and a table view on desktop.

The desktop table has columns for: Level (displayed as a blue monospace badge like “R0,” “R1,” etc.), Name (the level’s descriptive name), Max Job Value (the maximum dollar amount this level can approve, shown in monospace font with currency formatting, or “Unlimited” for the highest level), Active (green checkmark if enabled, grey X if disabled), Approves Up To (which R-Level this level can approve, displayed as “R1,” “R2,” etc.), Overtime (overtime multiplier like “1.5x”), Permissions (count of assigned permissions), Order (sort priority), and Actions (edit button with pencil icon). Click the edit button on any R-Level row to open a modal where you can adjust its name, max job value, approval ceiling, overtime multiplier, and associated permissions.

:bulb: Tip: Set R-Levels to match your company’s financial delegation policy. For example, R0 (Technician) might approve up to $500, R1 (Supervisor) up to $2,000, R2 (Manager) up to $10,000, and R3 (Owner) with no limit. This prevents unauthorized spending while keeping field operations moving.

:warning: Warning: Granting Owner-level access or unlimited R-Level approval to contractors or temporary staff creates a significant security risk. Use a scoped custom role with an appropriate R-Level for temporary team members, and set an access expiration date from their profile.

Step 6: Access Security Settings

Navigate back to the Settings sidebar and click the “Security” card (lock icon) under the Organization category. The Security section provides account-wide security policies. The SecuritySettings component displays configuration options for: Session Timeout Duration (how long before inactive users are logged out), Password Complexity Requirements (minimum length, character requirements), and IP Allowlisting (restrict access to specific IP addresses for sensitive operations).

Each security setting displays its current value or status with a toggle or configuration control. Changes to security settings take effect immediately for new sessions – existing sessions continue under the old policy until they expire or the user logs out. The Security section is only visible to users with Owner or Admin roles, as indicated by the adminOnly: true flag in the settings configuration.

:bulb: Tip: Conduct quarterly permission audits by reviewing each team member’s role and R-Level assignments. Look for team members who have changed responsibilities but still carry their old permissions, and update their roles accordingly. The Audit Log section (accessible from Settings) provides a history of all permission changes.

Step 7: Configure Two-Factor Authentication

In the Security settings, locate the Two-Factor Authentication (2FA) configuration section. You can set 2FA to one of three modes: Disabled (no 2FA required), Optional (users can choose to enable 2FA from their profile), or Required (all users must set up 2FA on their next login). Supported 2FA methods include authenticator apps (like Google Authenticator or Authy) that generate time-based one-time passwords (TOTP) and email verification codes sent to the user’s registered email address.

When 2FA is set to “Required,” users who have not yet configured it will be prompted to do so at their next login. The setup flow guides them through scanning a QR code with their authenticator app and confirming with a verification code. SSO (Single Sign-On) integration is available on higher-tier plans, allowing your team to authenticate through your company’s identity provider (such as Google Workspace, Okta, or Azure AD) without a separate Exoserva password.

:bulb: Tip: At minimum, require 2FA for Owner and Admin roles. These accounts have the highest level of access and are the most valuable targets for unauthorized access. Even if you leave 2FA optional for other roles, strongly encourage your entire team to enable it.

:warning: Warning: Switching 2FA from “Optional” to “Required” will immediately lock out any team member who has not configured their 2FA method. Coordinate with your team before making this change, and provide a grace period by announcing the change at least a week in advance.

What’s Next?

Now that you’ve completed this guide, check out:

Need help? Post in the Tech Support category or contact support@exoserva.com.

Owner/Manager Dashboard Guide
Enterprise Dashboard Multi-Location Management