Klees ships five built-in roles that cover the operational reality of construction, cleaning, delivery, and other field-ops teams. Each has a default permission set, and most permissions can be tuned per company without writing a custom role.

The five roles

Role	Typical seat	Scope
Owner	Owner, founder, CEO	Everything including billing
Admin	Ops director, IT lead	Everything except billing
Manager	Site manager, ops manager	Approve time, run reports, publish schedules
Foreman	Crew lead, on-site foreman	Crew Clock, daily log, see own crew
Crew	Worker	Clock self, see own schedule and timesheet

Most teams find these five roles fit without modification. Enterprise supports custom roles built from the same permission set.

Permission matrix

The defaults below cover the most common actions. Every row is overridable per company.

Action	Owner	Admin	Manager	Foreman	Crew
Clock self in/out	Yes	Yes	Yes	Yes	Yes
Crew Clock (clock others)	Yes	Yes	Yes	Yes	No
Create jobs	Yes	Yes	Yes	No	No
Edit jobs	Yes	Yes	Yes	No	No
Set geofence	Yes	Yes	Yes	No	No
Approve timesheets	Yes	Yes	Yes	No	No
Edit time entries	Yes	Yes	Yes	No	No
Publish schedule	Yes	Yes	Yes	No	No
Run reports	Yes	Yes	Yes	Own crew	Own only
Export payroll	Yes	Yes	Yes	No	No
Manage users	Yes	Yes	No	No	No
Configure PinShot	Yes	Yes	No	No	No
View Live Map	Yes	Yes	Yes	Own crew	Self + same site
Connect integrations	Yes	Yes	No	No	No
Manage billing	Yes	No	No	No	No
View audit log	Yes	Yes	Manager scope	No	No

Notes on the defaults: Crew can only edit their own timesheet within the configured edit window (default 24 hours). Foreman sees their own crew on Live Map and Reports but cannot approve time. Manager has the broadest day-to-day footprint short of Admin. Only Owner can change billing.

Per-permission overrides

Each cell can be flipped per company in Settings → Roles. Common configurations:

Construction strict approval — remove “Edit time entries” from Manager
Cleaning foreman-led approval — grant “Approve timesheets” to Foreman scoped to own crew
Delivery dispatcher view — grant Manager full Live Map on Pro+
Multi-tenant ops — restrict Manager visibility via the tenant filter

Custom roles (Enterprise) start from any built-in role, toggle the full permission list, get a name, and are assigned to users.

Scoping rules

A permission can be granted at one of three scopes:

Scope	Meaning
Self	Only the user’s own records
Own crew	Records for users the role is responsible for
Org	All records in the company

For example, “Run reports — Foreman: Own crew” means a foreman can run reports filtered to their crew but cannot pull org-wide payroll.

The audit log

Every permission change, role assignment, time entry edit, PinShot review, and report export is recorded with who, what, when, where (IP + optional GPS), and a before/after diff. The log is filterable and exportable. Enterprise can stream to SIEM via the REST API. Retention defaults to 24 months; Enterprise extends to 7 years.

Scope by role

Manager — scopable to all, by region, by customer, or by tag. A Western Manager scoped to CA/NV/AZ sees three states and nothing else.
Foreman — implicit scope: crew members assigned on current and recent schedules. Reassignment shifts visibility automatically, avoiding stale access.
Crew — sees self. On Live Map, also sees workers on the same job — useful for “who’s already here?”

Common patterns

Read-only auditor — start from Crew, grant “Run reports” at org scope
Payroll-only — start from Admin, toggle off everything except payroll export and reports
Owner-as-billing-only — set up two Admins; Owner only logs in for billing

For SSO/SAML role mapping on Enterprise, see Security and Compliance.