Roles & Permissions (RBAC)
JourneyLayer uses role-based access control (RBAC) so each teammate only sees and changes what their role allows. Roles are managed under Settings → Roles, and assigned to people under Settings → Users.
Customer-facing roles
Your account ships with four built-in system roles, plus any custom roles you create. Admin is the top role in your account.
| Role | Typical use | Access summary |
|---|---|---|
| Admin | Account owners and operators | Full access — manage the account, members, channels, roles, and billing details. |
| Creator | Marketers building messaging | Create and edit segments, campaigns, journeys, and analytics. No account/billing administration. |
| Member | Day-to-day collaborators | Read/write to most product areas, but cannot manage members, roles, or billing. |
| Agent / Viewer | Read-only stakeholders | View dashboards, analytics, and profiles. No editing. |
| Custom | Anything you need | Roles you define yourself, with permissions ticked exactly as you choose. |
The first user registered for an account is the Admin — the top customer-facing role.
A role is a bundle of permissions across product areas (Dashboard, Segments, Analytics, Engage, Channels, Data & Admin, and Billing), engagement actions (create/edit/publish campaigns and journeys), and profile data access (which user properties a role may read). Each area can be set to read, write (write implies read), or none.
Protected system roles
The four system roles (Admin, Creator, Member, Agent) are protected:
- They cannot be edited or deleted — their permissions are maintained by JourneyLayer so they stay consistent for every account.
- You can view them to see exactly what each one grants.
- You can clone one to use as the starting point for a new custom role (see below).
Creating, editing, cloning, and deleting roles
From Settings → Roles you manage custom roles with a guided editor:
| Action | System role | Custom role |
|---|---|---|
| View | ✅ | ✅ |
| Clone | ✅ | ✅ |
| Create | — | ✅ |
| Edit | 🔒 Protected | ✅ |
| Delete | 🔒 Protected | ✅ (when not in use) |
- Create — click New role, give it a name, then tick the permissions you want across each product area, the engagement actions it may perform, and its profile data access. Save to make it available for assignment.
- Edit — open any custom role to change its name or permissions. Changes apply to everyone holding that role.
- Clone — duplicate any role (system or custom) into a new editable custom role. This is the fastest way to start from a sensible baseline — for example, clone Agent and add a couple of write permissions.
- Delete — remove a custom role you no longer need. If the role is still assigned to one or more members, deletion is blocked: reassign those members first, then delete.
Only roles with the Roles write permission (such as Admin) can create, edit, clone, or delete roles. Everyone else sees the Roles page as read-only.
Assigning roles from the Users page
Roles are given to people under Settings → Users:
- Each member is listed with their current role shown in a column.
- Use the role dropdown next to a member to change their role. The change takes effect immediately and is recorded in the audit log.
- To bring in a new teammate, invite them by email; once they accept, they appear in the list and you can set their role.
Account-level owners/admins always resolve to the Admin role and are managed at the account level, so they aren't reassigned per project from the dropdown. Everyone else can be moved between Creator, Member, Agent, or any custom role.
A note on platform administration
JourneyLayer is operated and supported by the JourneyLayer team. Platform-level administration is handled internally and is not part of your account's role list — the roles you see and assign are exactly Admin, Creator, Member, Agent, and your custom roles.
Next steps
- Assign roles to your team under Users.
- Review who can access Billing (Admin only by default).
- Audit role changes under Audit logs.