Skip to main content

Workspace Permissions

Create roles that control which device groups and automation groups each technician can access.

Updated this week

Introduction

Control what each technician on your team can see and do in Level. Permissions are role-based β€” you define a role, configure its access, then assign technicians to it via the Team page.
​

Each role has two levers: what the technician can manage (automations), and which device groups and automation groups they can access.

How Roles Work

Every technician on your team belongs to a role. A role defines:

  • Management access β€” whether the technician can create and edit automations (technicians without this can still run automations, just not build or modify them)

  • Group access β€” which device groups and automation groups the technician can see and work in

Multiple technicians can share the same role.

Technicians without access to a group can't see any devices in that group, run remote control, or take any action on those devices.

πŸ’‘ TIP: Plan your roles around your team structure before creating them. A common setup: a "Junior Tech" role scoped to specific groups with no automation management, a "Senior Tech" role with full group access plus automation management, and a break-glass admin account.

Creating a Role

  1. Navigate to Workspace β†’ Permissions.

  2. Click + Create role in the top-right corner.

  3. Enter a name in the Role name field and click Create.

The new role appears in the role list. It has no access configured by default β€” set up management access and group access before assigning anyone to it.

πŸ’‘ TIP: Level creates a "Tech" role on every new account as a starting example. You can rename it, reconfigure it, or delete it like any other role.

Configuring a Role

Select any role from the list to open its configuration panel on the right.

Management Access

Under Management access, check Automations to allow this role to create, edit, and delete automations across the groups they have access to.

Leave it unchecked for technicians who should be able to run existing automations but not build new ones or modify existing ones. Good for newer technicians where you want to limit the blast radius.

Group Access

Under Group access, there are 2 tabs: Devices and Automations. Each lists the device groups or automation groups in your organization as a tree.

For each group, there are 2 controls:

  • Checkbox β€” grants this role access to that group. Technicians in this role can see and manage devices (or automations) in any checked group.

  • Circular arrows β€” when enabled (shown in green), any sub-groups created under that group in the future will automatically inherit this role's access. New sub-groups won't require a manual update.

⚠️ WARNING: Unchecking a group immediately removes access for all technicians in that role. They'll lose visibility into those devices until access is restored.

πŸ’‘ TIP: Enable the circular arrows on your top-level group if you want all new sub-groups to automatically inherit access. Without it, you'll need to manually grant access to every new sub-group you create.

Switch to the Automations tab to configure which automation groups this role can access. The controls work the same way.

Renaming a Role

  1. Select the role from the list.

  2. Click the pencil icon in the top-right corner of the configuration panel.

  3. Edit the name in the Role name field and click Save.

Deleting a Role

  1. Select the role from the list.

  2. Click the trash icon in the top-right corner of the configuration panel.

  3. Confirm by clicking Delete.

⚠️ WARNING: Deleting a role is permanent and can't be undone. You can't delete a role that has technicians currently assigned to it β€” Level will show an error: "Cannot delete a role that has assigned users." Reassign or remove all technicians from the role first via Workspace β†’ Team, then retry.

FAQ

  • Who can create and edit roles? Only organization owners and admins can manage roles on the Permissions page. Technicians assigned to roles without management access can't view or change permission settings.

  • Can multiple technicians share the same role? Yes. Assign as many technicians as you like to a single role via Workspace β†’ Team. Any changes you make to the role apply to everyone assigned to it.

  • A technician says they can't see certain devices. How do I fix it? Check which role they're assigned to in Workspace β†’ Team, then open that role in Workspace β†’ Permissions and verify the relevant device group has its checkbox enabled.

  • Why can't I delete a role? Level blocks deletion if any technicians are still assigned to it. Go to Workspace β†’ Team, move those technicians to a different role, then retry the deletion.

  • A technician can run automations but can't create or edit them. Is that a bug? No β€” that's expected behavior when the Automations checkbox under Management access is unchecked for their role. Enable it if you want them to build and modify automations.

  • I created a new sub-group but a role can't access it. Why? The circular arrows icon wasn't enabled on the parent group for that role. Enable it going forward, then manually check the new sub-group's checkbox to grant access retroactively.

Related Articles
Groups
Workspace Tags
Workspace Team
Device Permissions
Group Permissions
Did this answer your question?