# HighLevel Permissions Observations

## Observed model

- Clear agency vs client workspace boundary and separate navigation.
- Snapshot education explicitly says visible to agency owners/admins.
- Client staff creation includes role selection, a “restrict data visibility to only assigned data” control, module-level enablement and granular actions.
- Granular examples: view vs manage workflows; view/manage contacts and bulk actions; calendar setup vs appointment management; opportunity value and pipeline creation; reporting/export; audit view/export; finance actions such as refund, collect payment, configure taxes, manage subscriptions and payouts.
- Permission copying exists, but the option count is extremely high and mixes navigation visibility with data access and dangerous actions.

## Risks

- Checkbox sprawl encourages over-privileged “Admin” access.
- Hidden dependency risk: a user may see a module but lack a prerequisite action, or receive access indirectly.
- Assigned-only visibility must apply consistently to search, exports, dashboards, APIs, automations and notification payloads.
- Agency support access to client workspaces requires explicit policy, logging and ideally time-limited elevation.
- Billing, refunds, exports, API/private integrations, user management and audit export need step-up controls.

## Recommended original model

- Default roles: Workspace Owner, Manager, Sales Rep, Service Rep, Scheduler, Finance, Analyst, Agency Support.
- Capabilities use `resource:action` with scopes `all`, `team`, `assigned`, `self`, `none`.
- Separate capabilities for view, create, edit, delete, export, send, publish, refund, manage access and manage secrets.
- Show an “effective access” preview and reason for every grant.
- Require MFA and recent reauthentication for permissions, billing, exports, secrets and destructive operations.
- Log actor, impersonation/elevation context, tenant, object, before/after diff, request origin and correlation ID.
