How to Set User Roles in GoHighLevel | The Ultimate Permissions Guide

If you manage a GoHighLevel agency and have ever handed login credentials to a team member without configuring access first, setting GoHighLevel user roles and permissions correctly is the single most important admin task standing between you and a client data breach.

GoHighLevel has four primary role types: Agency Admin, Agency User, Account Admin, and Account User. Agency Admins have unrestricted platform access including billing, SaaS settings, and all sub-accounts. Account Users are scoped exclusively to the locations and feature sections you explicitly enable. All roles are configured inside Settings → Team at both the agency level and within individual sub-accounts independently.

The GoHighLevel Role Hierarchy Explained

GoHighLevel runs on a two-tier structure — the Agency level (your master account) and the Sub-Account level (each client location). Roles exist at both tiers and operate independently of each other.

• Agency Admin: Full platform control — billing, white-label configuration, SaaS pricing, sub-account creation, and access to every client's data. Reserve this for yourself and one trusted backup only.
• Agency User: Agency-level access with restrictions you define. Useful for sales reps or onboarding specialists who need the dashboard but must not touch billing.
• Account Admin: Full access within one specific sub-account. Ideal for a client or dedicated account manager who owns that location entirely.
• Account User: Scoped sub-account access. You choose exactly which sections — Contacts, Calendars, Conversations, Funnels — this person can view or edit.

Think of it as a two-floor building. Agency roles govern the entire building. Sub-account roles unlock only specific rooms on one floor.

How to Add and Assign User Roles Step by Step

The setup takes under five minutes once you know the path.

• Step 1: Log into your GoHighLevel agency dashboard and click Settings in the left sidebar.
• Step 2: Select Team to view all current agency-level users.
• Step 3: Click Add Employee. Enter the user's name, email address, and phone number.
• Step 4: Under Role, select either Agency Admin or Agency User.
• Step 5: If you chose Agency User, a permissions panel appears. Toggle on only the sections this user needs — nothing more.
• Step 6: Under Sub-Accounts, assign which specific locations this user can access. Do not default to all sub-accounts unless the role genuinely requires it.
• Step 7: Click Save. GoHighLevel sends an invite email with a one-time login link.

For sub-account-level permissions, navigate into the individual sub-account, go to Settings → Team, and repeat the process — selecting Account Admin or Account User and toggling sections accordingly.

Configuring Sub-Account Permissions in Granular Detail

When you assign Account User instead of Account Admin, GoHighLevel gives you feature-level toggles for every major section. This is where most agencies leave the biggest security gaps by leaving everything on by default.

• A sales rep needs Contacts, Conversations, and Calendars — nothing else.
• A funnel builder needs Funnels, Websites, and Media Library — not Reporting or Settings.
• A client-facing viewer who only monitors results needs Reporting only, with all edit permissions disabled.

Critically, you can hide the Settings tab entirely from sub-account users. This prevents accidental changes to integrations, Twilio phone numbers, and custom domains — the type of configuration errors that create three-hour support calls.

Agency Admin vs Agency User: When to Use Each

The most consistent mistake I see across the 79,000+ students I have trained on automation systems — including hundreds of GoHighLevel agencies — is defaulting every team member to Agency Admin because it is faster than thinking through access levels.

Agency Admin belongs to: yourself, your co-founder or operations director, and one emergency backup account. That is the complete list.

Agency User is the right role for:

• Sales reps running demos across client sub-accounts
• Onboarding coordinators who set up new locations but must not create billing changes
• Virtual assistants managing conversations across multiple client inboxes
• Contractors hired for specific campaign builds or integrations

If a task genuinely requires Agency Admin access temporarily — such as updating billing or configuring a new SaaS plan — elevate the role, complete the task together, then immediately downgrade it. Never leave temporary elevated access active.

Best Practices for Keeping Your Agency Secure

Permissions are only as strong as the habits that maintain them. Treat GoHighLevel access the same way a CA firm treats financial system access — minimum viable permissions, monthly audit, immediate revocation on offboarding.

• Audit Settings → Team monthly. Former staff and contractors should be removed the day they leave, not six months later when you notice the list is unusually long.
• Enable 2FA for all Agency Admin accounts. GoHighLevel supports two-factor authentication under Settings → Security. This is non-negotiable.
• Create individual named accounts. Never share the Agency Admin login. Named accounts create an audit trail for every contact deletion, funnel change, and settings modification.
• Test every role after setup. Open an incognito browser window, log in as the new user, and verify they can only see exactly what they should. Assume nothing.
• Scope sub-account assignments tightly. An Agency User working with three clients does not need visibility into the other 37 sub-accounts on your agency.

The Four Permission Mistakes That Lose Clients

Misconfigured roles are not just a security risk — they are a client-relationship risk. These are the four errors that generate the most damage.

• Giving clients Agency Admin access: A client with Agency Admin can view every other client sub-account on your entire agency. This is a GDPR violation and a business ethics problem with no clean excuse.
• Making every team member Account Admin: When everyone is an admin, no one is accountable. Granular roles create ownership and prevent accidental pipeline and automation deletions.
• Leaving contractor accounts active: A developer hired for a two-week integration build still has active login credentials four months later. This is the most common security gap in growing agencies.
• Skipping the live test: Saving the role settings and assuming they are correct without a real login test. Always verify with incognito.

Mastering GoHighLevel user roles and permissions is a one-time configuration that protects your agency, your clients, and your reputation for as long as the platform runs — open Settings → Team right now and audit every account on the list before doing anything else.

Keep Learning

If this was useful, these are worth reading next:

• The Ultimate GoHighLevel Guide for Marketing Agencies 2026 (Setup to Scale)
• GoHighLevel AI Features 2026: Conversation AI, Voice AI, and Workflow AI Explained
• Or go further with the GoHighLevel Mastery Course — used by 79,000+ students across 150+ countries.
• Try GoHighLevel free for 14 days — the CRM built for agencies and course creators.

Source: GoHighLevel Official Help Center — User Roles & Permissions Documentation (2024)