## Why It Matters

Setting someone up shouldn't mean thinking through every product one by one. A **role** is a one-click answer to "what is this person here to do?" — pick it, and Kit pre-fills their access to match. You can still fine-tune every product afterward: roles suggest, they don't lock.

## The Roles

| Role | Who it's for |
|------|--------------|
| **Admin** | Full access to everything — every product, plus billing, team management, security settings, and integrations. |
| **Billing Admin** | Manages the subscription and billing, without access to the product modules. Ideal for finance staff. |
| **Security Analyst** | Runs the Security module and manages security settings like SSO and API access. |
| **Recruiter** | Full access to Hiring. |
| **Growth** | Full access to Outreach. |
| **Trainer** | Full access to Training. |
| **Member** | The default. No special access — grant per-module levels as needed. |

Two things worth knowing:

- **Only Admins manage the account itself.** Billing, team membership, and account settings stay with Admins — with two deliberate exceptions: a Billing Admin can manage billing, and a Security Analyst can manage security settings. The other roles are product roles; they don't unlock any account settings.
- **Existing members aren't affected.** Everyone keeps the role that matches what they had: account admins are **Admins**, everyone else is a **Member**.

## Assigning a Role

Go to **Settings → Team**, open a member, pick a role from the radio cards, and save — the role and its module levels are saved together. You can also assign roles from the **Modules** matrix, using the role picker on each member's row.

When you assign a role, Kit pre-fills the member's access levels for Hiring, Security, Outreach, and Training to sensible defaults for that role — a Recruiter gets Hiring, a Trainer gets Training, a Billing Admin gets none of the products.

## Roles Suggest, They Don't Lock

The pre-filled levels are a starting point, not a cage. After assigning a role, open any cell in the [Modules matrix](/docs/team-access-control) and change it — the override sticks. A Recruiter who also helps with Training? Give them the Recruiter role, then add Training access. Changing the role later re-suggests levels for the new role; anything you want to keep different, just set again.

> [!TIP]
> **Start from a role, then fine-tune.** Picking the closest role and adjusting one or two products is faster and less error-prone than building someone's access from scratch — and it keeps similar people set up consistently.

> [!NOTE]
> A role changes what someone *can reach*, not what they're assigned to. Per-item assignments — like restricted job postings or report ownership — still work exactly as described in [Team Access Control](/docs/team-access-control).

## Quick Checklist

- [ ] When inviting someone new, pick the role that matches their job before anything else
- [ ] Fine-tune individual product levels only where the role's defaults don't fit
- [ ] Reserve **Admin** for people who genuinely manage the account
- [ ] Use **Billing Admin** for finance staff instead of making them full Admins
- [ ] After changing someone's role, glance at their access page to confirm the levels look right