Introduction
Control what each technician can see and do in Level. Permissions are role-based: you define a role, choose what it can manage, what it can do on devices, and which groups it can access. You then assign technicians to that role from the Team page.
Every technician belongs to exactly one role. Roles can be shared by as many technicians as you need.
How Roles Work
A role defines three things:
Management permissions decide whether the role can create and manage workspace-level resources like automations, scripts, monitor policies, and tags.
Device permissions decide what the role can do on individual devices: remote control, background management, and tagging.
Group access decides which device groups and automation groups the role can see and work in.
Technicians without access to a device group can't see devices in that group, run remote control, or take any action on those devices. The same applies to automation groups: technicians can't see, run, or edit automations in groups they don't have access to.
💡 TIP: Plan your roles around your team structure before you create them. A common setup: a "Junior Tech" role scoped to a few groups with no management permissions, a "Senior Tech" role with broader access plus automation and script management, and a break-glass admin account that lives outside SSO for emergency recovery.
Creating a Role
Navigate to Workspace → Permissions.
Click + Create role in the top-right corner.
Enter a name in the Role name field and click Create.
The new role appears in the role list. It has no access configured by default — set up management access and group access before assigning anyone to it.
💡 TIP: Level creates a "Tech" role on every new account as a starting example. You can rename it, reconfigure it, or delete it like any other role.
Configuring a Role
Select any role from the list to open its configuration panel on the right.
Management Permissions
The Management permissions section controls whether this role can create, edit, and delete workspace-level resources.
Permission | What it controls |
Automations | Create and manage automations |
Scripts | Create and manage scripts |
Monitor policies | Create and manage monitor policies |
Tags | Create and manage tags |
💡 TIP: Leave Monitor policies unchecked for most technicians. Policy changes affect every device carrying the matching tag, so the blast radius is wide. Keep this scoped to senior staff.
Each permission is independent. You can grant Scripts without Automations, Tags without Monitor policies, and so on.
ℹ️ NOTE: The Automations management permission specifically gates non-manual automation triggers (scheduled, tag-based, event-based, etc.). Technicians without this permission can still create automations with only a Manual trigger, but can only run that automation against devices they have group access to. The permission exists to prevent technicians from creating automations whose triggers could fan out to devices in groups they don't have access to.
Device Permissions
The Device permissions section controls what actions this role can perform on individual devices they already have group access to.
Remote control lets the role start remote control sessions.
Background management lets the role open background terminal and management sessions (file explorer, services, processes, registry, etc.).
Device tagging lets the role apply and remove tags on devices. This permission expands into two sub-options:
Apply tags to devices lets the role add existing tags to a device.
Remove tags from devices lets the role strip tags off a device.
ℹ️ NOTE: Device tagging is separate from the Tags management permission. A technician can have permission to apply tags to devices (Device permission) without having permission to create or rename tags at the workspace level (Management permission). The Tags management permission governs the global tag library; the Device tagging permission governs whether existing tags can be put on or taken off individual devices.
⚠️ WARNING: Granting Background management gives the role full terminal access to every device in their group scope. That's effectively local administrator access. Make sure the role's group access is scoped accordingly.
Group Access
The Group access section controls which device groups and automation groups this role can see and work in. There are two tabs: Devices and Automations. Each lists the groups in your workspace as a tree.
Each row has two controls:
Group checkbox grants this role access to that group. Technicians in this role can see and work with devices or automations in any checked group.
Include future groups checkbox (on the right side of the row) controls whether sub-groups created later under this group automatically inherit the same access. When enabled, any new sub-group is added to the role's access automatically.
ℹ️ NOTE: Selecting a group automatically enables Include future groups for that row. If you want to grant access to a group but not its future sub-groups, uncheck Include future groups after selecting the group.
Switch to the Automations tab to configure which automation groups this role can access. The controls work the same way.
⚠️ WARNING: Unchecking a group immediately removes access for every technician assigned to that role. They'll lose visibility into those devices or automations until access is restored.
💡 TIP: Enable Include future groups on your top-level group when you want a role to automatically cover any new sub-groups your team adds later. Without it, every new sub-group needs to be granted access manually.
Renaming a Role
Select the role from the list.
Click the pencil icon in the top-right corner of the configuration panel.
Edit the name in the Role name field and click Save.
Renaming a role doesn't affect its permissions, group access, or assigned technicians. Only the display name changes.
Deleting a Role
Select the role from the list.
Click the trash icon in the top-right corner of the configuration panel.
Confirm by clicking Delete.
⚠️ WARNING: Deleting a role is permanent and can't be undone. Level blocks deletion if any technicians are still assigned to the role. Reassign or remove those technicians via Workspace → Team first, then retry the deletion.
FAQ
A tech assigned to a role without Automations management says they can still create automations. Is that a bug? No. The Automations management permission only gates non-manual triggers (scheduled, tag-based, event-based, etc.). Manual automations are always allowed because the technician has to explicitly pick the target devices, and they can only pick devices in groups they already have access to. The permission exists to prevent automations whose triggers could reach devices the technician can't see.
What's the difference between the Tags management permission and Device tagging? Tags management controls who can create, rename, and delete tags in the workspace tag library. Device tagging controls who can apply existing tags to devices or remove them. A technician can have Device tagging without Tags management, which lets them tag devices using tags an admin has already defined.
Can a technician without Background management still use remote control? Yes. Remote control and Background management are separate permissions. You can grant one without the other. Remote control covers the user-facing remote control session; Background management covers terminal, file explorer, services, processes, and other backend tools.
Why can't I delete a role? Level blocks deletion if any technicians are still assigned to it. Go to Workspace → Team, move those technicians to a different role, then come back and try again.
A technician can run an existing automation but can't edit it. What's missing? They're in a role without the Automations management permission. Enable it if you want them to build and modify automations. Keep it disabled if you only want them to trigger automations someone else built.
I created a new sub-group and a role can't access it. Why? Include future groups wasn't enabled on the parent group for that role. Enable it going forward, then check the new sub-group's box manually to grant access retroactively.
A technician needs to remote control devices in a client's group, but only see (not modify) automations. How do I set that up? Grant Remote control under Device permissions. Leave Automations unchecked under Management permissions. Add the relevant device group under the Devices tab of Group access. Add the client's automation group under the Automations tab if you want them to see automations targeting those devices.
Can multiple technicians share the same role? Yes. Assign as many technicians as you need to a single role via Workspace → Team. Permission changes apply to everyone in the role immediately.
Are Administrator and break-glass accounts configured here? No. Administrator is a workspace-level account property, not a custom role. Administrators bypass all role-based permission checks. Manage administrator status from Workspace → Team.