User Roles and Permissions
MONTON supports five distinct user roles, each with specific permissions and access levels to different features and sections.
Roles Overview
| Role | Description |
|---|---|
| ADMIN | Full access to all features and settings |
| MANAGER | Management access with some restrictions on financial and admin features |
| SALES | Manager permissions plus full CRM access (including Deals) |
| CONTRIBUTOR | Standard user with access to assigned work and time tracking |
| GUEST | Limited access, primarily for viewing assigned tasks |
Role Types
ADMIN
Full Administrative Access
Administrators have complete access to all features and can manage the entire organization.
Permissions:
- Full access to all sections and features
- Organization settings management
- User management and role assignment
- Financial data access (Invoices, Cost Rates)
- Administrative settings and billing
- All CRM, project, and reporting features
Access to:
- All protected routes
- Admin settings (
/protected/admin/settings) - Admin billing (
/protected/admin/billing) - Organization management
- User invitation and management
- Cost rates and financial data
- All reporting features including Project P&L
MANAGER
Management Level Access
Managers have access to most features except sensitive administrative and financial functions.
Permissions:
- Project and team management
- CRM features (clients, contacts) - excluding Deals
- Time tracking, approvals, and licenses
- Reporting (except Project P&L)
- User invitation capabilities
- Assignation, Milestones, Utilization, Resourcing
Restricted from:
- Cost rates (
/protected/people/cost-rates) - Invoices (
/protected/financials/invoices) - Admin settings (
/protected/admin/settings) - Admin billing (
/protected/admin/billing) - Deals management (
/protected/crm/deals) - Project P&L reports
SALES
Sales Level Access
Sales users have Manager-level permissions plus full CRM access, including Deals management.
Permissions:
- All Manager permissions
- Full CRM access including Deals
- Project and team management
- Time tracking, approvals, and licenses
- Reporting (except Project P&L)
- User invitation capabilities
Restricted from:
- Cost rates (
/protected/people/cost-rates) - Invoices (
/protected/financials/invoices) - Admin settings (
/protected/admin/settings) - Admin billing (
/protected/admin/billing) - Project P&L reports
CONTRIBUTOR
Standard User Access
Contributors are regular team members with access to core functionality needed for daily work.
Permissions:
- Personal timesheet management
- Project and task participation
- Calendar and pipeline access
- Project staffing and budget views
- Basic reporting (General Reports, Time Report, Timesheet Report)
- Licenses management
- User invitation capabilities
Restricted from:
- Cost rates and financial data
- Team management features
- Administrative functions
- Assignation, Project KPIs, Project P&L, Milestones, Utilization, Resourcing reports
- Time approvals
- CRM features (clients, contacts, deals)
- Experimental features
Limited access to:
- Only projects where they are assigned
- Personal settings and profile
GUEST
Limited Access
Guests have the most restricted access, typically for external collaborators or clients.
Permissions:
- View assigned projects only
- View assigned tasks
- Basic profile management
Restricted from:
- Time tracking and timesheets
- All reporting features
- Team management
- User invitations
- CRM features
- Administrative functions
- Financial data
- Pipeline, Calendar, Inbox
- Project staffing, budget, and summary sections
- Experimental features
Permissions Matrix
| β = Access Allowed | β = Access Blocked |
Admin & Settings
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Admin Settings | β | β | β | β | β |
| Admin Billing | β | β | β | β | β |
CRM
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| CRM Clients | β | β | β | β | β |
| CRM Contacts | β | β | β | β | β |
| CRM Deals | β | β | β | β | β |
People
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Team Management | β | β | β | β | β |
| Cost Rates | β | β | β | β | β |
Financials
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Invoices | β | β | β | β | β |
Reporting
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Reports (General) | β | β | β | β | β |
| Assignation | β | β | β | β | β |
| Project KPIs | β | β | β | β | β |
| Project P&L | β | β | β | β | β |
| Milestones | β | β | β | β | β |
| Utilization | β | β | β | β | β |
| Resourcing | β | β | β | β | β |
| Time Report | β | β | β | β | β |
| Timesheet Report | β | β | β | β | β |
Time Management
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Timesheet | β | β | β | β | β |
| Licenses | β | β | β | β | β |
| Approvals | β | β | β | β | β |
Work
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Projects | β | β | β | β | β |
| Tasks | β | β | β | β | β |
| Pipeline | β | β | β | β | β |
| Calendar | β | β | β | β | β |
| Invite | β | β | β | β | β |
| Project Staffing | β | β | β | β | β |
| Project Budget | β | β | β | β | β |
Other
| Route | ADMIN | MANAGER | SALES | CONTRIBUTOR | GUEST |
|---|---|---|---|---|---|
| Inbox | β | β | β | β | β |
| Experimental* | β | β | β | β | β |
*Experimental features are also restricted by organization. Only specific organizations have access.
Role Hierarchy Summary
ADMIN (Full Access)
βββ MANAGER (No: Cost Rates, Invoices, Admin, Deals, Project P&L)
βββ SALES (Manager + Full CRM including Deals)
βββ CONTRIBUTOR (No: Team Mgmt, CRM, Most Reports, Approvals)
βββ GUEST (Assigned tasks/projects only)
Key Differences
SALES vs MANAGER
- SALES has full CRM access including Deals
- MANAGER cannot access Deals
CONTRIBUTOR vs MANAGER
- CONTRIBUTOR cannot access:
- Team Management
- Any CRM features
- Most reporting features (only General Reports, Time Report, Timesheet Report)
- Time Approvals
- Experimental features
GUEST Limitations
- Can only view assigned projects and tasks
- No access to time tracking, reports, CRM, or administrative features
- Cannot access pipeline, calendar, inbox, or project staffing/budget
Role-Based Route Protection
The application uses middleware to enforce role-based access control:
- Route Protection: Users are automatically redirected if they try to access unauthorized sections
- Default Fallback: Users without explicit roles default to CONTRIBUTOR level
Role Assignment
- Organization Creator: Automatically assigned ADMIN role
- Invited Users: Default to CONTRIBUTOR role unless specified otherwise
- Role Changes: Only ADMIN users can modify user roles
- Guest Users: Must be specifically invited with guest-level access