How to Set User Roles in GoHighLevel | The Ultimate Permissions Guide

How to Set User Roles and Permissions in GoHighLevel: The Complete Guide

Scaling your GoHighLevel agency or SaaS business means bringing in team members, virtual assistants, and clients — each of whom needs different levels of access. Add someone with too much access and they are accidentally editing your automations or deleting pipelines. Add someone with too little and they can't do their job.

This guide explains exactly how GHL's permission system works, how to configure it for every common team role, and how to avoid the most expensive access-management mistakes agencies make.

The Reality: GHL Has Only Two Default Roles

Unlike platforms that let you create custom named roles, GoHighLevel has just two default role types inside any sub-account:

• Admin — full access to everything in the sub-account
• User — restricted access, configurable via permission toggles

This confuses a lot of new GHL users. They expect to create a "Sales Rep" role, a "VA" role, and a "Client Viewer" role as separate named entities. You cannot do that out of the box.

But here is what most people miss: you can configure the User role with such granular permission toggles that it effectively becomes any role you need. The key is knowing how to use those toggles correctly.

Navigating to User Management

There are two entry points for user management in GHL:

Agency Level

Go to Agency Dashboard → Settings → Team. This lets you create users who have access to the agency dashboard itself and potentially multiple sub-accounts. Best for your core team members who work across clients.

Sub-Account Level

From inside a specific sub-account: Settings → My Staff. This is where you add users (clients, VAs, support staff) who only need access to that particular sub-account.

When you click the pencil icon on any existing user, or click "Add New User", you see the full permission panel.

The Permission Toggles: Your Real Power Tool

Each user has a comprehensive list of permissions divided into key categories. For each section, you can typically toggle: Can View, Can Edit, Can Manage — or disable access entirely.

The permission categories include:

• Account Settings — can this user change billing, business info, and integrations?
• Contacts — can they view, add, and edit contact records?
• Conversations — can they handle inbox messages?
• Automations — can they view, edit, or trigger workflows?
• Pipelines / Opportunities — can they see and update deal stages?
• Calendars — can they view, book, and edit appointments?
• Funnels / Sites — can they edit landing pages and websites?
• Blogs — can they create and publish blog content?
• Communities — can they moderate the community?
• Certificates — can they issue course completion certificates?
• Forms — can they view or modify form submissions?
• Reporting — can they view analytics dashboards?
• Integrations — can they connect or disconnect third-party tools?

Building the 5 Most Common Role Configurations

Configuration 1: The Virtual Assistant (Conversations & Calendars Only)

A VA handling inbox and appointment booking needs precisely:

• ✅ Conversations — View, Edit (reply to messages)
• ✅ Contacts — View (to see who they are talking to)
• ✅ Calendars — View, Edit (book and manage appointments)
• ❌ Everything else — disabled

This VA cannot access automations, funnels, settings, or billing. They can do their job without any risk of breaking anything.

Configuration 2: The Client Viewer (Reports Only)

A client who wants to see their results without touching the setup:

• ✅ Reporting — View only
• ✅ Contacts — View only (to see their own contact list)
• ✅ Pipelines / Opportunities — View only
• ❌ Everything else — disabled

This client sees everything they care about (results) and cannot accidentally change anything.

Configuration 3: The Sales Rep (Pipeline Focus)

A sales rep working leads through a pipeline:

• ✅ Contacts — View, Edit (add notes, update information)
• ✅ Conversations — View, Edit (follow up via SMS/email)
• ✅ Pipelines / Opportunities — View, Edit (move deals through stages)
• ✅ Calendars — View (book discovery calls)
• ❌ Automations, Settings, Funnels — disabled

Configuration 4: The Content/Funnel Builder

A designer or developer building out funnel pages and content:

• ✅ Funnels / Sites — View, Edit, Manage
• ✅ Blogs — View, Edit
• ✅ Forms — View, Edit
• ❌ Contacts, Automations, Settings, Billing — disabled

Configuration 5: The Automation Specialist

A team member who builds and maintains workflows:

• ✅ Automations — View, Edit, Manage
• ✅ Contacts — View (to understand trigger conditions)
• ✅ Conversations — View (to monitor automation outputs)
• ✅ Calendars — View (automation often involves bookings)
• ❌ Settings, Billing, Integrations — disabled unless specifically needed

Adding a New User: What Information You Need

When adding a new user to a sub-account, you need:

• Full name — how they appear in the system
• Email address — used for login and password resets
• Phone number — for SMS-based login verification
• Role — Admin or User
• Permission configuration — toggle access based on their role (from the configurations above)

The user receives an invitation email with login instructions. They set their own password. You can change their permissions at any time — if someone is promoted, you update their toggles without creating a new account.

Advanced: Combining Permissions With Smart Lists and Contact Ownership

For agencies with larger teams, GHL's permission system can be extended with smart lists and contact ownership rules:

• Assign contacts with a specific tag to a specific user — a VA working only with "Dubai Leads" sees only contacts tagged "lead-dubai"
• Contact ownership — assign contacts to individual sales reps so each rep's pipeline view shows only their own leads
• Smart list visibility — create filtered views of contacts based on pipeline stage, source, tag, or date — and restrict different users to different views

This is "next level" territory but becomes important as teams grow past 5–10 people handling the same sub-account.

Common Mistakes to Avoid

• Making clients Admin by accident. A client with Admin access can change automations, delete pipelines, and modify billing. Always use User role with limited permissions for client logins.
• Forgetting to disable Integrations access. A user who can connect/disconnect integrations can accidentally break your Stripe, Twilio, or email provider connections.
• Not reviewing permissions when roles change. When a team member's responsibilities change, update their permissions the same day — do not leave elevated access in place.
• Ignoring the phone number field. Without a phone number on file, users cannot complete SMS-based 2FA and will have difficulty resetting passwords.

What's New in GHL User Management (2026)

GoHighLevel has continued expanding its permission system. Notable updates as of early 2026:

• Permission templates — you can now save a configured set of permissions as a reusable template, making it faster to onboard new users into standard roles
• Activity logging — improved audit logs show exactly which user made which change, when, and to what
• Bulk permission updates — update permissions across multiple users simultaneously from a single panel

The Bottom Line

GHL's two-role system (Admin / User) with granular permission toggles is more flexible than it initially appears. The five configurations above cover the vast majority of team setups. Build a reference document for your own agency listing each role and its exact permission settings — then applying it consistently to every new user you add takes under two minutes.

The most important rule: always give the minimum access needed to do the job. You can always expand permissions later. Recovering from an accidental automation deletion or a client who has modified your billing settings is significantly more painful than spending two extra minutes configuring access correctly from the start.