When you invite someone to BookHero, picking the role is not cosmetic. It decides which pages they can open, which buttons they can press, and which data the app will accept saving when they touch it. The system uses the role to choose the landing page after login, and every server action checks the permission before reaching the database. In short: the role is the real boundary, not just a label.
This guide maps each of the 4 roles (owner, manager, employee, basic) with the exact permissions it has in BookHero today. It will give you the level of detail you need to answer when someone on your team asks 'why can I not see this?', and to make a good call when inviting new people.
The 4 roles in one line
Before we go deeper into each one, here are the 4 boxes in short form. Note that only the owner is unique per business; the other 3 roles can be assigned to as many people as you want.
- Owner: business owner. Unique per business. Sees everything, edits everything, including billing, ownership transfer, and account deletion.
- Manager: right hand. Almost everything the owner can do, except billing, critical security, and ownership. Good for someone who helps run the place but does not pay the subscription.
- Employee: the default role for people who deal with clients. Sees the full calendar, creates bookings, runs checkout, sees their own commissions and personal report. Does not touch settings, team, or billing.
- Basic: minimum access. Only sees their own calendar, no editing. Useful for collaborators who just need to check their daily schedule.
Owner: everything, including the red button
The owner is the account that created the business. There is exactly one owner per business and that link lives in businesses.owner_id. The role is not inherited: to pass it to someone else you need an explicit ownership transfer, which is the only path for anyone else to take this role.
Manager: full trust, without touching the card
The manager role is for the person who runs the day to day but does not own the business: your operations partner, salon coordinator, shop lead. They have all the management buttons (team, settings, commissions, public page, reports) except the three that involve money or ownership.
Employee: the default for client-facing staff
Employee is the role you will use the most. Think of it as 'the person behind the counter or the chair': sees the full calendar, creates bookings, runs checkout, handles clients, sees the personal report and their own commissions. Does not access business settings, team management, billing, or aggregated reports.
Basic: read-only on their own schedule
Basic is the most restricted role in BookHero. It is designed for someone who only needs to know which days and hours they work, with no editing. Think intern, occasional weekend collaborator, or an external who performs services now and then and just wants to see their own agenda.
The complete matrix: all roles side by side
This table is the definitive version. Each row is a permission that BookHero checks before accepting an action. A check means the role has the permission; a cross means the system blocks (redirects to the role's landing page, no visual error).
| Action / permission | Owner | Manager | Employee | Basic |
|---|---|---|---|---|
| See own calendar | ||||
| See full team calendar | ||||
| Create and cancel bookings | ||||
| Run checkout at the counter | ||||
| See and edit clients | ||||
| Edit business settings | ||||
| Edit public page | ||||
| Invite and remove employees | ||||
| Manage team schedules | ||||
| See all reports | ||||
| See personal report | ||||
| Manage team commissions | ||||
| See own commissions | ||||
| Access Billing and invoices | ||||
| Transfer business ownership | ||||
| Delete the business |
How BookHero enforces permissions
Not by hiding buttons in the UI. Every server action and every protected page calls a guard function on the server before doing anything. If the current role does not have the permission, the request is redirected to the role's landing page (calendar for those who can see it, /dashboard/help for those who cannot). It is the same level of protection everywhere: hidden UI, guarded route, validated server action.
- The sidebar shows only items the role can open, so you do not get the false impression that access exists.
- Each protected page calls requirePermission at the top: if it fails, it redirects without a visible 403.
- Each server action that mutates data checks the permission again: the server never trusts the UI.
- When you change someone's role, the change is instant: on the next request the user already sees (or stops seeing) what the new role allows.
Changing the role later
Roles are not fixed. In Team, open any member's profile and you will find the role selector. Switching from 'employee' to 'manager' (or the other way) is instant and does not require sign out and sign in. The owner is the only exception: to change it, you need the formal ownership transfer flow.
Frequently asked questions about roles
Can the owner grant custom permissions to a specific person (for example, let one employee see all reports)?
No. Permissions are per role, not per person. There are no individual toggles today. If you need someone to see every report, that person needs the 'manager' role. This is a deliberate choice: simplifies the 'who can do what' audit and avoids the usual pitfalls of fine-grained permission matrices.
Can I have two owners on the same business?
No. The owner is unique, stored in businesses.owner_id, and only changes via an explicit transfer. If you want to give your partner equivalent access, grant them 'manager': they can do almost everything except billing, ownership transfer, and account deletion. To hand over ownership for good (and the billing responsibility), start the transfer in Security.
Can an employee see coworkers' bookings?
Yes. Employees have 'viewAllCalendars' on, meaning they see the full calendar with every team column. This is deliberate: in a counter-driven shop, seeing what coworkers have booked prevents clashes (for instance, clients waiting for a specific coworker). Only the 'basic' role is restricted to their own calendar.
What about commissions? Can an employee see how much coworkers earn?
No. Employees and basics only have 'viewOwnCommissions': they see their own commissions only, with no detail of coworkers'. The aggregated commission reports (including service-by-service attribution) are reserved for owner and manager.
When I promote someone from 'employee' to 'manager', do they have to log out and back in for the change to take effect?
No. The change is instant. On the next request from that user, BookHero recomputes permissions from the current role in team_members and the sidebar starts showing the new options. If the user is on a page they can no longer see (a demotion scenario), they get redirected to their landing page.
Can I remove the owner role without transferring it to someone else?
No. The owner only leaves the business through one of two paths: transferring ownership to another account (which becomes the new owner) or deleting the business. There is no 'business with no owner' state because billing needs an accountable account. For the details, see /blog/export-transfer-and-delete-account.
Up next in the help center
Now that you know who can do what, these guides round out the picture:
- Add employees and individual schedules: invite, assign services, set hours.
- Configure team commissions: per-service or per-product rules, per employee, with priorities.
- Export, transfer, and delete your account: the only path to a new owner and what happens when you delete.