[Intum Help](https://intum.com/help.md) / [Organization](https://intum.com/help/organization.md)

# [Roles](https://intum.com/help/organization/roles.md)

## Default Roles

The system has four built-in roles that cannot be deleted:

- **Owner** — full access to everything. Can manage user passwords, sees private emails and all webchat widgets. This is the highest permission level.
- **Administrator** — broad access to account management. Can manage roles, users, invoices, CMS pages, reports, and most settings. Does not have access to things reserved for the owner.
- **User** — standard role for daily work. Access to tasks, projects, CRM, mail, knowledge base, forms, files, and most operational features.
- **Guest** — minimal access. Sees only their own profile.

Each higher role inherits the permissions of lower ones — an administrator has everything a user has, an owner has everything an administrator has.

## Creating Custom Roles

Custom roles allow precise control over who has access to what. To add a new role:

1. Go to **Settings > Roles**
2. Click **New Role**
3. Give it a name and check the permissions the role should have
4. Save

You can also copy an existing role (built-in or custom) and adjust it to your needs — useful when you want, for example, a role that's "almost like administrator, but without billing."

Assign a custom role to a user in their account settings, in the same place where you select the default role.

**Important:** you can only create roles with permissions that you yourself have. An administrator cannot grant anyone owner permissions.

## Permission List

Below are all permissions that can be enabled and disabled in custom roles.

### Basic

| Permission | What it grants |
|---|---|
| profile | Access to own profile |
| activities | Activity view |
| notifications | Notifications |
| favorites | Favorite items |
| dashboard | Main panel |
| calendar | Calendar |
| tags | Tag management |

### Tasks and Projects

| Permission | What it grants |
|---|---|
| organize | Work organization module |
| tasks | Tasks |
| projects | Projects |
| todos | To-do lists |
| recurrings | Recurring tasks |
| teams | Teams |
| reports | Reports |

### Users and Structure

| Permission | What it grants |
|---|---|
| users | User list |
| user_settings | User settings |
| departments | Departments |
| groups | Groups |
| invites | New user invitations |
| workinfo | Work information |

### Communication

| Permission | What it grants |
|---|---|
| mail | Mail |
| emails | Emails |
| emails_unassigned | Unassigned emails |
| webchat | Website chat |
| posts | Posts / announcements |
| helpdesk | Helpdesk |
| mail_templates | Email templates |

### CRM and Sales

| Permission | What it grants |
|---|---|
| crm | CRM module |
| commerce | Shop / e-commerce |
| fakturownia | Fakturownia integration |
| payments | Payments |

### Content and Files

| Permission | What it grants |
|---|---|
| kb | Knowledge base |
| drive | Drive |
| documents | Documents |
| files | Files |
| pages | Pages |
| paragraphs | Paragraphs |
| assets | Assets (graphics, CSS/JS files) |

### Integrations and Automations

| Permission | What it grants |
|---|---|
| connectors | Connectors |
| flows | Automation flows |
| webhooks | Webhooks |
| api_tokens | API tokens |
| apps | Applications |
| appstore | App store |
| connect | Connect module |
| mcp | MCP server |

### Other

| Permission | What it grants |
|---|---|
| form | Forms |
| voip | VoIP telephony |
| design | Appearance settings |
| pdp | Personal data protection |
| noe/widgets | Noe widgets |

### Administrator Only

These permissions are available from the administrator level:

| Permission | What it grants |
|---|---|
| roles | Role management |
| insight | Analytics and statistics |
| cms | CMS page management |
| sites | Websites |
| layouts | Page templates |
| domains | Domains |
| billing | Invoices and subscriptions |
| billing_helpdesk | Billing helpdesk |
| fiskator | Fiscal integration |
| activities_admin | Activity administration |
| activities_undo_all | Undo all activities |
| mailboxes | Mailboxes |
| mailboxes_marketing | Marketing mailboxes |
| folders | Folders |
| emails_all | All emails |
| groups_admin | Group administration |
| workinfo_admin | Work info administration |
| employee_leaves_admin | Leave management |
| comments_edit | Comment editing |
| tags_edit | Tag editing |
| mail_reports | Mail reports |
| account_reports | Account reports |
| noe | Noe management |
| accept_kb_comments | KB comment approval |

### Owner Only

These permissions belong exclusively to the account owner:

| Permission | What it grants |
|---|---|
| mail_private_all | Access to all private emails |
| webchat_widget_all | Access to all webchat widgets |
| manage_user_passwords | User password management |