KKliently

Roles & permissions for agencies

Agency ops · 4 min read

How to map owner, admin, member, and contractor roles to real agency jobs — and where Kliently's permission walls keep client lists, margins, and invoices out of the wrong hands.

The fastest way to leak a client list is to give everyone admin access "for now." Agencies grow in a hurry — a new designer here, a freelance developer there — and the permission model that felt fine at three people becomes a liability at twelve. The fix isn't a spreadsheet of who-can-see-what; it's a small, well-understood set of roles that map cleanly onto the jobs people actually do. This guide walks through Kliently's four roles, what each can and can't touch, and a simple rule for deciding which one to hand out.

The four roles, in plain terms

Kliently ships with exactly four roles, and resisting the urge to invent more is half the battle. Each is a deliberate trade between trust and reach.

  • Owner — the workspace's root account. Controls billing, plan changes, custom domain and white-label, and can delete the workspace. There's one owner by default, and you want it to be a principal, not a project lead.

  • Admin — runs day-to-day operations: invites people, sets rates, manages clients and projects, sends invoices. Everything an owner can do except touch billing and the most destructive settings.

  • Member — your core team. Members work across projects they're added to, track time, build proposals and contracts, and see the project-level numbers they need — but they don't manage the workspace itself.

  • Contractor — external help. Contractors see only their own projects and their own time. They never see client lists, other people's rates, margins, or invoices.

Where the permission walls actually sit

The contractor wall is the one that matters most for agencies, because it's the difference between safely subcontracting and accidentally handing a freelancer your entire book of business. In Kliently, that wall is enforced in the data layer with Postgres row-level security and workspace isolation — it isn't a hidden menu item that a determined user can URL-hack their way around.

Concretely, a contractor added to the "Acme rebrand" project can log time against it and see the deliverables they're responsible for. They cannot open your client directory, see what you bill Acme, view the project margin, or find the invoice you sent. That's true even if they go looking. Members sit one level up: they see the projects they're on and the rates relevant to their work, but workspace administration stays with admins and the owner.

A rule for assigning roles

When someone joins, don't ask "do I trust them?" Ask "what's the smallest role that lets them do today's job?" You can always promote in two clicks; clawing back access after a leak is a different kind of afternoon.

  1. External freelancer on one project → contractor. Add them to that project only.

  2. In-house team member who works across client projects → member.

  3. Operations lead, studio manager, or anyone who sends invoices and manages clients → admin.

  4. You, or your business partner who shares financial responsibility → owner.

Default to the lowest role that still lets the work happen. Promotion is cheap; a leaked client list is not.

Rates follow roles, too

Roles and money are linked. Kliently uses a rate hierarchy — a project-member rate overrides a project rate, which overrides your default rate — and it snapshots the rate at the moment each time entry is created, so old entries never silently change value when you renegotiate. Because a contractor can't see other people's rates or the project margin, you can pay a freelancer $40/hour and bill the client $120/hour without that spread ever appearing on their screen. The math stays yours.

Trust, but keep the receipts

Permissions decide what people can do; the audit log records what they did. Kliently keeps an append-only audit log of sensitive actions — role changes, invoice sends, contract signatures, access grants — and append-only means entries can't be quietly edited or deleted after the fact. If a client ever asks who saw a document, or you need to understand how a setting changed, the history is there and it's tamper-evident.

A starting configuration

If you're setting this up today: make yourself owner, promote one trusted operator to admin so the workspace isn't single-threaded on you, keep your salaried team as members, and add every external freelancer as a contractor scoped to their project. Revisit it whenever someone's responsibilities change rather than letting roles drift upward by habit. For a deeper look at the security model underneath all of this, see our security overview; to see how the contractor wall fits the rest of an agency setup, read Kliently for agencies.