Roles & Permissions

Create roles and configure granular permissions to control what each user can access.

Overview

Roles define what users can see and do in Forz. Each user is assigned exactly one role. Permissions are grouped by feature (called a "policy" in Forz) and toggled individually. Forz ships with default system roles (Admin, Worker) and lets you create custom roles to match your organization's structure — for example, a "Dispatcher" role that can manage jobs and schedules but cannot change billing settings.

Before You Begin

Prerequisites:
You have the Admin role (or master admin access).
The Custom Roles module is enabled (Settings > Modules).

System Roles

Forz creates two default system roles when your account is set up:

Admin — full access to all features. This role is locked and cannot be edited or deleted. Every account must have at least one Admin user.
Worker — limited access intended for field technicians. This role is a default but is hidden from the roles list in Settings.

Warning: System roles (Admin and Worker) cannot be viewed in the role editor, renamed, or deleted. To customize permissions for technicians or other staff, create a custom role.

Creating a Custom Role

Click Settings in the sidebar navigation.

Click the Custom Roles tab.

Click + New Role.

Enter a Display Name for the role (e.g., "Dispatcher", "Office Manager", "Foreman"). Role names must be unique within your account.

Click Save.

Expected result: Forz creates the role with all permissions disabled. The role editor opens so you can toggle individual permissions.

Note: New roles start with zero permissions. You must enable each permission the role needs. This prevents accidental over-granting of access.

Configuring Permissions

Permissions are organized by policy group (feature area). Each group contains individual actions you can enable or disable.

Open the role you want to configure (click its name in the Custom Roles list).

Permissions are displayed in groups (e.g., "Jobs", "Customers", "Invoices", "Calendar").

Click the toggle next to any individual permission to enable or disable it.

Expected result: The permission updates immediately. All users assigned to this role see the change on their next page load (the permissions cache is invalidated automatically).

Tip: Review permissions from top to bottom within each group. Typical groups include actions like "View", "Create", "Edit", and "Delete". Most roles need at least "View" enabled for the features they use.

Cloning a Role

When you need a new role similar to an existing one, clone it to save time.

Open the role you want to copy.

Click the Clone button.

Enter a Display Name for the new role.

Click Save.

Expected result: Forz creates a new role with the same permissions as the original. You can then adjust individual permissions on the clone without affecting the source role.

Editing a Role Name

Open the role from the Custom Roles list.

Click Edit.

Change the Display Name.

Click Save.

Expected result: The role name updates everywhere it appears, including on user profiles. The role_name field on each user assigned to this role updates the next time the user record is saved.

Warning: You cannot rename or edit locked roles. The Admin role is always locked. Roles marked as default can be renamed but not deleted if users are assigned to them.

Deleting a Role

Open the role from the Custom Roles list.
Click Delete.

Expected result: The role is removed from the system.

Warning: You can only delete a role if: it is not locked, it is not a default system role, and no users are currently assigned to it. Reassign all users to a different role before deleting.

What Happens After Changing Permissions

When a role's permissions are updated, Forz automatically:

Invalidates the permissions cache — every user on that role gets fresh permission checks on their next request.
Invalidates sidebar caches — if role-based sidebar visibility changed, users see updated navigation items.
Applies immediately — no logout/login required; changes take effect on the next page load.

Common Scenarios

Creating a "Dispatcher" role for office staff

Your office coordinator needs to create and schedule jobs, manage customers, and view the calendar, but should not access billing or account settings.

Go to Settings > Custom Roles and click + New Role.
Name it "Dispatcher".
Enable permissions: Jobs (View, Create, Edit), Customers (View, Create, Edit), Calendar (View), Route Planner (View, Create), and Schedule Suggestions (View).
Leave Invoices, Payments, Estimates, and Settings permissions disabled.
Assign the dispatcher user to this role in Settings > Users.

Setting up a read-only "Auditor" role

An external auditor needs view-only access to jobs, invoices, and reports for a compliance review.

Create a new role named "Auditor".
Enable only "View" permissions for Jobs, Invoices, Custom Reports, and Dashboards.
Leave all Create, Edit, and Delete permissions disabled.
Create a user account for the auditor and assign this role.

Cloning a role for a new team

Your plumbing division needs the same permissions as your HVAC dispatchers, but with access to the Devices module added.

Open the "HVAC Dispatcher" role and click Clone.
Name the clone "Plumbing Dispatcher".
Enable the Devices permissions (View, Create, Edit) on the new role.

Troubleshooting

Problem	Solution
"Custom Roles" tab is not visible in Settings	The Custom Roles module must be enabled on your account. Contact your account admin or support to enable it.
Cannot edit or delete a role	The role is either locked (system role like Admin) or has users assigned. Check if the lock icon appears next to the role name. Reassign users before deleting.
User reports they cannot access a feature after role change	Open the role in Settings > Custom Roles and verify the relevant permissions are enabled. Permission changes apply on the next page load — ask the user to refresh their browser.
Role name already exists error	Role display names must be unique within your account (case-insensitive). Choose a different name.