Roles & Permissions
Keito uses a role-based permission system to control what team members can see and do within your workspace.
Permission Levels
Member
The default role for team members. Members can:
- Track their own time and expenses
- View their own reports
- Edit their own profile
- See projects they’re assigned to
- Submit timesheets for approval
Manager
An elevated role for team leads and project managers. In addition to Member permissions, Managers can:
- View time and expenses from their assigned teammates
- Approve or reject submitted timesheets
- See reports for their assigned team
- Manage projects they’re assigned to as project manager
Administrator
Full access to all workspace features. Administrators can:
- View and edit all time entries and expenses across the workspace
- Approve any timesheet
- Create, edit, and archive projects, clients, and tasks
- Manage team members (invite, edit, archive)
- Configure workspace settings
- Manage integrations
- Access all reports with full data
- Manage billing and subscription
Granular Manager Permissions
Administrators can customise exactly what managers can do by toggling specific permissions:
| Permission | Description |
|---|---|
| Create projects | Create new projects for their clients |
| View/edit billable rates | See and modify hourly rates |
| Draft invoices | Create invoice drafts for managed projects |
| Send/edit invoices | Send and modify invoices for managed projects |
| Create/edit clients and tasks | Manage the client and task directory |
| Edit team time and expenses | Modify entries belonging to assigned teammates |
| Withdraw approvals | Undo a previous timesheet approval |
These permissions are configured per-manager from the Team management page.
Teammate Assignments
Managers can be assigned specific teammates, limiting their visibility and approval authority:
- A manager only sees time/expenses from their assigned teammates.
- They can only approve timesheets from their assigned teammates.
- They only see their assigned teammates in reports.
If no teammates are assigned, the manager has no team visibility (beyond their own data).
Business Roles
Separate from permission levels, business roles are organizational labels used for reporting and filtering:
- Examples: Designer, Developer, QA Engineer, Project Manager, Consultant
- Users can have multiple business roles.
- Roles don’t affect permissions — they’re purely for categorization.
- Use roles in report filters to analyse time by discipline.
Manage business roles from Manage > Roles.
Role Assignment
Roles are assigned when inviting a team member or can be changed later by an administrator:
- Go to Team.
- Click on a team member.
- Change their permission level (Member, Manager, Administrator).
- For managers, configure granular permissions and teammate assignments.