Resource Planner Blog
Resource Planner Roles and Permissions: Member, Manager, Customer, and Admin
Resource Planner has four workspace roles: Member, Manager, Customer, and Admin. Each role starts with a clear set of permissions, while a small number of additional settings control how much of the workspace a person can see or manage.
This guide is the reference for the intended role and permission policy in Resource Planner. “Visible” means that an item appears in a list, timeline, or planning overview. Full details, editing rights, financial information, and access management are listed separately because seeing an item does not automatically grant control over it.
Permission modifiers
Five settings refine the base roles:
- A Member can have Can only see themselves visibility or Can see the team visibility.
- A Manager can have Only people they manage visibility or Can see everyone visibility.
- A Manager can separately manage selected people or have Manager oversees all members enabled.
- A Manager can separately be allowed to see financial information.
- A Customer can separately be allowed to edit assignments on projects they have been invited to.
Role and permission matrix
How to read conditional permissions
Visibility is not edit access
A person may appear in a Resource or Project overview without exposing their full details or allowing changes. For example, a team-visible Member can see the planning overview for other roles but cannot open another person's details. Similarly, a Manager who can see everyone cannot open details for people outside their editable scope.
Manager scope follows the management structure
Manager visibility and management scope are separate. Can see everyone expands the planning overview but does not grant editing rights. A Manager normally edits and plans only themselves and their management hierarchy; Manager oversees all members expands that management scope to every non-admin resource. Managers may refer to one another in the hierarchy without creating a permission problem because cycles are resolved safely, while Admin records remain protected from Manager edits.
Financial access is separate from management scope
A Manager's management scope decides which resources they can manage. Their visibility setting separately decides who appears in the overview, and the financial setting decides whether rates and Forecast are visible. Enabling visibility or financial access does not expand the Manager's editing scope or allow them to edit Admins.
API and MCP credentials provide unrestricted workspace access
API access keys and MCP keys are workspace-level credentials, not role-scoped user sessions. Anyone or any system given either credential receives unrestricted access to the workspace through the operations supported by that integration, equivalent to acting as an Admin. Only Admins can create, replace, or remove these credentials, and they should share them only with fully trusted systems and people.
MCP connections authenticated through a personal OAuth session are accepted only for an active Admin. This keeps the unrestricted MCP tool set consistent with the Admin-only integration policy.
Plan limits still apply
Role permissions describe who may perform an operation. Workspace plan limits apply separately and can block otherwise permitted resource or assignment creation when the workspace has no available seats or has reached its assignment allowance. Existing assignments can still be updated or deleted when only the free-plan assignment allowance has been reached.
The last admin protects the workspace
Resource Planner blocks the last active Admin from being removed or demoted and blocks their resource from being deleted through team management. Personal account deletion is the explicit exception: after a destructive confirmation, the last active Admin can delete their account, which permanently deletes the entire organization and all of its planning, Time Off, time-tracking, access, and settings data. When another active Admin remains, deleting an Admin account removes only that account.