Roles & Permissions
Keito uses a role-based permission system to control what team members can see and do within your workspace.
Permission Levels
Member
The default role for team members. Members can:
- Track their own time and expenses
- View their own reports
- Edit their own profile
- See projects they’re assigned to
- Submit timesheets for approval
Manager
An elevated role for team leads and project managers. In addition to Member permissions, Managers can:
- View time and expenses from their assigned teammates
- Approve or reject submitted timesheets
- See reports for their assigned team
- Manage projects they’re assigned to as project manager
Administrator
Full access to all workspace features. Administrators can:
- View and edit all time entries and expenses across the workspace
- Approve any timesheet
- Create, edit, and archive projects, clients, and tasks
- Manage team members (invite, edit, archive)
- Configure workspace settings
- Manage integrations
- Access all reports with full data
- Manage billing and subscription
Member Types
In addition to permission level, each person has a member type:
| Type | Description |
|---|---|
| Employee | Internal staff member. Employees can track time and expenses on assigned projects. |
| Contractor | External delivery worker. Contractors can track work on assigned projects but are still treated as internal workforce for delivery and reporting. |
| Client | External client stakeholder. Clients are regular members with project-level access only. |
Client accounts cannot be managers or administrators, cannot receive internal business roles, and cannot be converted back into employees or contractors. Use client accounts for people who need visibility into selected projects without internal team access.
For project-level client visibility, see Client Project Access.
Granular Manager Permissions
Administrators can customise exactly what managers can do by toggling specific permissions:
| Permission | Description |
|---|---|
| Create projects | Create new projects for their clients |
| View/edit billable rates | See and modify hourly rates |
| Draft invoices | Create invoice drafts for managed projects |
| Send/edit invoices | Send and modify invoices for managed projects |
| Create/edit clients and tasks | Manage the client and task directory |
| Edit team time and expenses | Modify entries belonging to assigned teammates |
| Withdraw approvals | Undo a previous timesheet approval |
These permissions are configured per-manager from the Team management page.
Teammate Assignments
Managers can be assigned specific teammates, limiting their visibility and approval authority:
- A manager only sees time/expenses from their assigned teammates.
- They can only approve timesheets from their assigned teammates.
- They only see their assigned teammates in reports.
If no teammates are assigned, the manager has no team visibility (beyond their own data).
Business Roles
Separate from permission levels, business roles are organizational labels used for reporting and filtering:
- Examples: Designer, Developer, QA Engineer, Project Manager, Consultant
- Users can have multiple business roles.
- Roles don’t affect permissions — they’re purely for categorization.
- Use roles in report filters to analyse time by discipline.
Manage business roles from Manage > Roles.
Role Assignment
Roles are assigned when inviting a team member or can be changed later by an administrator:
- Go to Team.
- Click on a team member.
- Change their permission level (Member, Manager, Administrator).
- For managers, configure granular permissions and teammate assignments.