Permission sets in Operating

All about permissions and how you may configure them for different users in your company

Written By Matti Parviainen

Last updated About 19 hours ago

Permission sets control what each user can see and do in Operating. This page describes how the permission system works, lists every permission available, and provides guidance on configuring permission sets for common roles.

How permission sets work

Each user in Operating is assigned exactly one permission set. The permission set defines which parts of the application they can access and what actions they can perform.

Key concepts:

Permission sets are defined at the organization level. Admins create and manage them in Settings → Permissions.
Each user gets one permission set. When a user is created, they are assigned the default permission set, which can be changed at any time.
There is a default permission set. One permission set is marked as the default and is automatically assigned to new users when they first log in. Review this carefully — if it's too permissive, every new user gets broad access immediately.
Built-in permission sets are provided as starting points (e.g., Admin, Employee, Manager). You can customize these or create new ones.
The Admin permission set cannot be removed as a profile. You always need at least one admin-level permission set.
A user is not the same as a person. A person can exist in Operating without a user account. A user account is only needed when someone needs to log in. See Give team members access for details.

The concept of ownership in Operating permissions

There are different kinds of owners for Projects. All different owners have access to projects (and the Client Owner has access to all projects for that Client).

Name	Intended purpose
Project Owner	The operational manager. The primary point of contact for the project.
Secondary Owner	Can be renamed to match what your company and your processes require. For example: staffing owner – responsible for finding people for unnamed positions.
Client Owner	The account manager who oversees all projects planned and delivered for a given client.
Invoicing Owner	The person responsible for smooth and accurate invoicing of the work. Quite often the same person as the Project Owner, but not always. Your invoicing process might depend on active participation from your finance team, for example.

The “reports to” manager relation in Operating

In order to handle who should be able to see whose time entries, and for easy filtering of “all of my people”, we provide the option to add a “reports to” field for each person. When the Reporting structure feature is in use, any Person may have a manager’s name set in their profile under “Reports to”.

In order to prevent problems with permission limitations, we have decided that a person will always see the people who report to them. The manager will also see all of the things that the person who reports to them sees. In order for a supervising manager to do their job, they need to see what their people are up to. Please reach out to support@operating.app if you have questions related to this logic.

The concept of membership in Operating permissions

For some permission settings, you can choose to allow things based on project membership.

When a user is added to a project team setup (named to work in a position), they gain membership in it and can see all other people on the project. Project owners, secondary owners, client owners and invoice owners will also have access to the projects under their management.

Permission reference

The permissions screen is organized into eight sections. Each section is described below with all available permissions and their options.

Features

Feature toggles control access to major areas of the Operating UI. Each can be turned on or off independently.

Permission	Description
Timeline	Access to the timeline and scheduling of allocations.
Reports	Access to the Reports section (Portfolio, Capacity, Projects, People, Utilization Metrics).
Hours	Access to time tracking.
Settings	Access to organization settings.
Directory	List of projects, people, and clients.
Projects tab	Access to the Projects list.
Project details	Access to project detail pages, including statuses, descriptions, and — depending on financial permissions — rate cards, budgets, and other financial data.
Clients tab	Access to the Clients list.
Client details	Access to individual client detail pages.
People tab	Access to the People list.
Positions tab	Access to the Positions list.
Time entries tab	Access to the Time entries list. Users will only see entries they have permission to view based on the Time entries permissions below.

People

Controls visibility and management of person records.

Permission	Options	Description
People visibility	See all people / Scoped	Controls which people the user can see. When a user doesn't see another person's profile (e.g., in financials), they may still see some confusion in reports. The safe option is "See all people" for most roles.
Manage basic info	Toggle + scope	Edit a person's basic information such as name and contact details.
Manage individual working hours	Edit all / Edit for own direct reports / None	Edit individual working hours overrides. Can be scoped to all people or only the user's direct reports.
Manage employment	Edit all / Edit for own direct reports / None	Edit employment details (start date, end date, company, site, external status, etc.).
Administer people	Admin all / Scoped	Higher-level person administration.

Projects and Clients

Controls what project and client data the user can access and modify.

Permission	Options	Description
Projects and clients visibility	See all projects and clients / Scoped	Controls which projects the user can see. When a user is added to a project (via a position or as project owner), they gain additional access. Managers and staffing roles typically need "See all." Consultants can be scoped to only their own projects. Also controls visibility of clients — users who only see their projects will see only the related clients.
Create projects	Toggle	Create new projects and set rate cards on them.
Manage projects	Edit all / Scoped	Edit project details (name, dates, status, description, billing type, etc.).
Create clients	Toggle	Create new client records.
Manage clients	Edit all / Scoped	Edit and delete client details.

Note: even when a user can see a project, the financial details they see depend on the Financials permissions below. Project visibility and financial visibility are separate controls.

Allocations and Positions

Controls the ability to create and manage staffing data.

Permission	Options	Description
Create positions	For all projects and people / Scoped	Create new positions in projects.
Manage positions	All / Scoped	Edit and delete positions.
Create allocations	Toggle	Create new allocations on positions. Note: adding a role to a person done happens through a profile (one at a time) or through bulk actions. A person may have more than one position in a project (e.g., a "lead" and a "coder") and multiple roles in the team. More allocations are possible for each position.
Manage allocations	All / Scoped	Edit and delete allocations.

Time entries

Controls time tracking visibility and management.

Permission	Options	Description
Time entries visibility	See all / Scoped	Controls which time entries the user can see. "See all" is needed for people managing or tracking projects or approving timesheets.
Manage time entries	Edit all time entries / Edit own / None	Controls the ability to create, edit, and delete time entries. Most users need at least "Edit own" to track their time.
Time limit for edits	All projects they can see / Scoped to own projects	Controls whether users can edit or see entries written for all or only their own projects. Also includes a radio option for whether project members see those of a hidden/tentative position in the project.
Time off visibility	Toggle	Whether the user can see time off details (dates, reasons) and notes for people.
Edit approvals	Toggle	Whether the user can approve time entries. For users who have the edit approvals permission set to approve flows, they can also see submitted and approved time entries and resend/reject them.
Edit approved time entries	Toggle	Whether the user can modify entries that have already been approved. Typically restricted to admins.

Financials

Controls visibility and management of monetary data — rates, costs, revenue, invoicing, and expenses.

Permission	Options	Description
Cost visibility	See all costs / Scoped / None	Controls whether the user can see cost rates, tracked costs, planned costs, and cost-derived metrics (gross profit, margin). Cost data reveals salary-derived information — restrict to leadership, finance, and those who need it for profitability decisions.
Manage costs	Toggle	Edit cost rates, costs, and cost-related data for people.
Revenue visibility	See all / Scoped / None	Controls whether the user can see revenue figures (earned, planned, invoiced) and billing rates. If a person can see the member list of any project, the rate card rate is visible at the global default level, and actual client rates may be inferred.
Manage rates and budgets	For all projects they can manage / Based on manage project scope	Edit rate cards, position-specific rates, and project budgets. Scope follows the user's project management scope.
Manage client-level rates	Toggle: Edit all rate cards	Edit and delete client-level rate cards and global rate cards for people.
Invoice visibility	For all projects / Scoped	Controls whether the user can see invoices.
Expense visibility	For all projects / Scoped	Controls whether the user can see expenses.
Add expenses	For all projects / Scoped	Create new expense records on projects.
Manage expenses	All expenses / Scoped	Edit and delete expense records.

Notes

Permission	Options	Description
Manage notes	Edit all notes they can see / Scoped	Create, edit, and delete notes on entities.

Administration

Controls access to organization-wide configuration. These permissions are typically reserved for admins and operations staff.

Permission	Description
Manage sites	Create, edit, and delete sites.
Manage skills	Create, edit, and delete skills and skill categories.
Manage teams	Create, edit, and delete teams and team tags.
Manage groups	Create, edit, and delete groups.
Manage project and client tags	Create, edit, and delete project and client tags.
Manage permission sets	Create, edit, and delete permission sets. Sensitive — anyone with this permission can grant themselves or others any level of access.
Manage company-wide settings	Manage and edit company-wide settings and tags.
Manage holiday calendars	Create, edit, and delete holiday calendars.
Manage expense settings	Manage expense categories and default expense settings.
Manage cards	Invite and remove users, manage their user attributes.
Manage integrations	Manage integrations.
Refresh integrations	Manually refresh integration data.
Import CSV files	Import new data using CSV files.

Common permission set patterns

The built-in permission sets (Admin, Employee, Manager) provide a starting point. Here's how to think about configuring sets for typical consulting roles:

Consultants (time tracking focus): Enable Hours and Timeline features. Set "Edit own" for time entries. Scope project and people visibility to what they're involved with. Disable financial visibility unless your organization shares margin data broadly. Disable all Administration permissions.

Project managers: Enable most features. Give project and allocation management for their projects. Enable revenue visibility. Consider whether they need cost visibility for margin decisions. Enable Edit approvals if they approve timesheets.

Staffing managers: Enable Timeline, Directory, Projects, People, and Positions features. Give full allocation and position management with "See all" for people and projects. Revenue visibility helps them understand rate implications when staffing.

Finance / invoicing team: Enable broad financial permissions — cost visibility, revenue visibility, invoice visibility, expense management. Give time entry visibility (needed to verify entries before invoicing). Disable allocation and position management unless they also staff projects.

External contractors: Minimal permissions. Enable Hours for time tracking. Scope everything to only their own projects and entries. Disable financial visibility, administration, and broad people/project visibility.

Executives (read-only oversight): Enable Reports, Projects, People, and Client features. Enable cost and revenue visibility. Disable all create/edit/delete and Administration permissions.

Data sensitivity considerations

Cost rates are derived from salaries. Broad cost visibility lets people infer compensation information.
Revenue visibility reveals client billing rates. Less sensitive than costs, but still commercially sensitive.
Manage permission sets is the most powerful admin permission — it enables self-escalation of access.
Import CSV files can create or modify data in bulk. Restrict to trusted admins.
Manage cards controls user account management — who can invite or remove users.

How to structure permissions to match your company culture – because tools have a way of strengthening or weakening your culture
Give team members access — creating user accounts and assigning permission sets
SSO: Entra ID — configuring single sign-on
How to add a new person — adding people and configuring their access