Table of Contents

⚡ Quick Summary

Most GHL accounts give too many people too much access — and it's only a matter of time before something breaks. GoHighLevel has four role types (Agency Admin, Agency User, Account Admin, Account User) and granular permission toggles that let you control exactly what each team member sees. Set roles based on job function, audit your user list every quarter, and keep automation and settings access limited to two or three trusted people.

🎯 Key Takeaways

  • Never give a new hire Agency Admin access u2014 start them at Account User with only the permissions their job actually requires
  • The four GHL role types are Agency Admin, Agency User, Account Admin, and Account User u2014 each scopes access to a different level of the platform
  • Custom permission toggles inside Account User roles let you control access to 10+ feature categories including Contacts, Automations, Reporting, and Settings independently
  • Always disable the Settings tab for standard Account Users u2014 it contains API keys, integrations, and billing details that most team members have no reason to access
  • Audit your user list every 90 days: remove inactive contractors, downgrade anyone whose role has changed, and verify no one has more access than their current job requires
  • Restricting contact export permissions protects your database if a team member leaves u2014 they can work contacts daily without being able to bulk-download your entire list
  • White-labeled GHL combined with scoped Account User permissions creates a clean client experience u2014 clients log in and see only the tools relevant to their sub-account

🔍 In-Depth Guide

Understanding the Four Core GHL User Role Types

GoHighLevel has four roles you'll work with regularly. Agency Admin has complete control u2014 billing, white-label settings, creating new sub-accounts, everything. This should be limited to the business owner and maybe one trusted ops manager. Agency User can access sub-accounts assigned to them but can't touch agency-level settings like SaaS configurator or billing. Account Admin has full access within a specific sub-account u2014 they can edit workflows, manage contacts, change settings. Account User is where it gets interesting: their access is completely customizable. You decide exactly what they can see and touch. In a Dubai real estate agency I worked with, we had 12 sales agents all set up as Account Users with Contacts and Opportunities enabled, but Automations, Settings, and Reporting locked. They could work their pipeline all day without ever accidentally breaking a workflow. That's the setup that lets you delegate confidently.

How to Set Custom Permissions for Account Users Step by Step

Go to your sub-account, then Settings > My Staff > Add Employee or click an existing user. Set their role to User (not Admin). Once saved, you'll see a permissions panel with toggle switches grouped by feature category. The main categories are: Dashboard, Contacts, Conversations, Calendars, Opportunities, Marketing, Sites, Memberships, Reputation, Reporting, and Settings. Each has sub-toggles. Under Contacts, for example, you can allow viewing but block exporting u2014 critical if you're worried about a team member walking out the door with your entire database. Under Settings, I always disable everything for standard users; there's no reason a sales rep needs access to API keys or integrations. For a course delivery team member at sawankr.com, I keep Marketing and Memberships enabled but everything else off. Takes about 3 minutes per user and saves enormous headaches later. Always click Save after every permissions change u2014 GHL doesn't auto-save this panel.

The Most Dangerous Permission Mistakes I See Agencies Make

The number one mistake: giving every new hire Account Admin access because it's easier than thinking through permissions. The second mistake is forgetting to restrict the Reporting tab. Detailed pipeline revenue reports are visible under Reporting, and if you have clients in a multi-location setup, you don't want one client's team seeing another's numbers. Third mistake u2014 and this one stings u2014 is not auditing your user list every 90 days. I had a client in Dubai who had 23 active users in a sub-account. Six of them were contractors who hadn't worked with the business in over a year. All still had Account Admin access. That's 6 open doors to your CRM, your automations, your conversations. My recommendation: set a recurring calendar reminder every quarter to go to Settings > My Staff and review who still needs what access. Remove anyone who's no longer active. Downgrade anyone whose role has changed. Permissions rot just like everything else in a business u2014 it needs maintenance.

📚 Article Summary

Most GoHighLevel accounts I see are a permissions disaster waiting to happen. Every team member has admin access. The VA from the Philippines can delete workflows. The new sales rep can see the agency’s billing details. I’ve watched businesses lose entire contact databases because someone clicked the wrong button — and it was entirely preventable. Getting your user roles right in GoHighLevel is not optional. It’s the foundation of a system you can actually scale.GoHighLevel separates access into two levels: the Agency level and the Sub-Account (Location) level. At the agency level, you have Agency Admins and Agency Users. At the sub-account level, you have Account Admins and Account Users. Here’s what most people miss — these aren’t just labels. Each role comes with a completely different set of capabilities, and you can further customize permissions within each role. That’s where the real control lives.In my experience training agencies in Dubai, the most common setup I see is one Agency Admin (the business owner), one or two Account Admins per sub-account (usually team leads), and everyone else as Account Users with custom permissions toggled based on their actual job. A copywriter doesn’t need pipeline access. A sales rep doesn’t need to touch automations. A client on a white-labeled account should never see the Settings tab at all. Mapping roles to job functions — not just handing out admin access to avoid the question — is what separates a professional GHL setup from a chaotic one.What makes GHL’s permission system genuinely useful is the granular toggle controls inside Account User roles. You can allow or restrict access to Contacts, Conversations, Opportunities, Marketing, Sites, Reporting, and Settings independently. I always tell my clients: build your team’s GHL access the same way you’d hand out keys to an office building. The cleaner gives access to the lobby and maintenance rooms. The accountant gets the finance floor. Nobody gets a master key unless they absolutely need it — and even then, you log who has it.

❓ Frequently Asked Questions

Agency Admin has access to the top-level agency dashboard, including billing, SaaS configurator, white-label settings, and the ability to create or delete sub-accounts. Account Admin has full access only within a specific sub-account u2014 they can't see other sub-accounts or touch agency-level settings. For most team members, Account Admin or a custom Account User role is appropriate. Reserve Agency Admin strictly for the business owner or a senior ops lead.
Yes, but with a nuance. Conversations in GHL are tied to contacts, so a user with Conversations access will still see contact names and phone numbers within the conversation thread. What you can restrict is direct access to the Contacts tab u2014 meaning they can't browse, search, export, or bulk-manage your contact database. Go to Settings > My Staff, select the user, and toggle Contacts off while keeping Conversations on. This is a common setup for appointment setters who need to handle inbound messages but shouldn't be exporting your list.
Inside your sub-account, go to Settings > My Staff > Add Employee. Enter their name, email, and set the role to User (not Admin). After they accept the invitation and log in, return to their profile in My Staff and configure the permission toggles. You'll see category-level controls for Contacts, Opportunities, Marketing, Sites, and more. Disable everything they don't need. The invitation email comes from your white-labeled domain if you have that set up, which keeps the client-facing experience professional.
Only if you explicitly grant access. An Agency User role can be assigned to multiple sub-accounts, but they only see the ones you've given them. Account Admins and Account Users are scoped entirely to their own sub-account by default. If you're running a multi-client setup u2014 which is exactly how we structure things for real estate agencies with multiple offices u2014 this isolation is one of GHL's strongest features. Each client's team member sees only their data.
To build and edit workflows, a user needs either Account Admin access, or a custom User role with the Automations permission enabled. Inside the Automations toggle, you can allow view-only or full edit access. I strongly recommend limiting automation editing to Account Admins or a designated automation specialist u2014 one bad workflow trigger can spam thousands of contacts or delete pipeline stages. I've seen it happen. Keep workflow editing access in the hands of two or three trusted people maximum, regardless of team size.
Yes u2014 this is what the Account User role is built for, especially combined with white-labeling. Set the client up as an Account User in their sub-account, disable Settings entirely (so they don't see API keys or integrations), and restrict any reporting or marketing tools that aren't relevant to them. If you have the white-label desktop app set up, their login URL will show your brand, not GoHighLevel's. Combined with custom navigation (available in agency settings), you can build a very clean, scoped experience that shows clients only what they paid for.
GoHighLevel does not cap the number of users per sub-account on standard plans. You can add as many team members as needed. However, on SaaS plans where you're billing clients per user or per seat, check your plan configuration in the SaaS Configurator u2014 you may have set limits there. For the agency plan itself, there's no published user limit, and in practice I've worked with sub-accounts running 30+ users without any issue.
Sawan Kumar

Written by

Sawan Kumar

I'm Sawan Kumar — I started my journey as a Chartered Accountant and evolved into a Techpreneur, Coach, and creator of the MADE EASY™ Framework.

Free Mini-Course

Want to master AI & Business Automation?

Get free access to step-by-step video lessons from Sawan Kumar. Join 55,000+ students already learning.

Start Free Course →

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here