Set up user permissions and roles

Control what each team member can access in Caspen.

Overview

Roles and permissions determine what users can see and do inside your Caspen workspace. Setting these correctly helps protect client privacy, keeps financial information secure, and ensures staff only access what they need to perform their job.

Important Only the account owner can access and modify permissions. Go to SettingsPermissions to manage them.

Understanding the account owner

When someone first signs up to Caspen, they automatically become the account owner. This person sits above all other roles and has a unique level of access that cannot be removed unless ownership is transferred to another user.

The account owner is still assigned a standard role (i.e. Practitioner Admin) to determine what they can see and do day-to-day. Account ownership is an extra layer of authority on top of that role, granting access to security-sensitive areas like billing, permissions and API keys.

Key Characteristics

  • There can only ever be one account owner per workspace.

  • Ownership is not a permission you assign, it exists automatically.

  • The owner can transfer ownership, but it must be done intentionally.

  • The owner is typically someone legally responsible for the business.

Account-owner–only access

The following areas are exclusive to the account owner. No other role, including Practitioner Admins, can access or modify these areas unless ownership is transferred.

✓ User permissions ✓ Create and manage API keys ✓ Subscription & billing

Default user roles

Caspen provides a set of pre-defined roles based on common allied health practice responsibilities. Each role has a default permission set so your team can begin working without configuration. These defaults balance privacy, compliance, and usability.

Roles at a glance:

  • Practitioner Admin (billed)

  • Practice Manager (not billed)

  • Practitioner (billed)

  • Receptionist (not billed)

  • Accountant (not billed)

Role availability in calendars

Only Practitioner and Practitioner Admin roles have their own calendar in Caspen. These roles represent billable clinicians and therefore appear in calendars, online bookings, and waitlists. Other roles support the workflow and do not have a calendar.

The table below provides a high-level summary of each role, who it’s designed for, and how it functions within your Caspen workspace.

Role
Billed?
Best suited for
Summary of Access

Practitioner Admin

Yes

Practicising business owners, senior clinical leads, business directors.

Full access to the workspace (excluding owner-only pages).

Practice Manager

No

Operational or practice managers who do not see clients.

Manage operations, client appointments, billing, reporting and settings (no clinical notes or letters access unless enabled).

Practitioner

Yes

Allied health clinicians delivering client services.

Access only to their own clients, notes, appointments and billing by default.

Receptionist

No

Front desk support and administrative support staff.

Manage bookings, clients and invoices with limited settings (No access to clinical notes or letters by default).

Accountant

No

Bookkeeping and finance professionals .

Access to invoices, payments, tax, integrations and financial reports.

Role details

Practitioner Admin

This role combines clinical access with administrative control. Designed for high-trust users who need visibility across the entire workspace.

Best for: Practice owners who also see clients, clinical directors, team leaders

Default access includes:

  • All clients and practitioner calendars.

  • All notes, letters, forms, and clinical templates.

  • Full catalog access (services, products, packages, etc.).

  • Full financial access (invoices, payments, adjustments, reports).

  • Access to all settings except owner-only areas.

Excluded (owner only): Permissions & roles, API keys, subscription settings

Why this matters:

Practitioner Admins run the practice day-to-day, but should not be able to change security, subscription or integration-level access unless they are also the account owner.

Practice Manager

A role for people who handle operational tasks without requiring access to sensitive clinical data unless specifically enabled. The practice manager often configures the system, tracks revenue, and manages admin workflows, but should not alter foundational access controls.

Best for: Admin managers or non-clinical leaders.

Default access includes:

  • All clients and appointment schedules.

  • Invoices, payments, and billing setup.

  • Forms, templates, and general workspace configuration.

  • Full reporting access.

Optional access: Clinical notes and letters (can be enabled individually)

No access to: Permissions & roles, API keys, subscription settings

Practitioner

Designed for clinicians who require access only to their own work. The goal is to ensure privacy and avoid accidental access to other practitioners’ caseloads. This preserves client confidentiality and meets privacy obligations, essential for multi-practitioner clinics.

Best for: Allied health clinicians and contractors.

Default access includes:

  • Their own appointments, notes, forms, letters, and invoices.

  • Their own performance reports.

Restricted:

  • Cannot view other clinicians’ notes or clients unless enabled.

  • No access to modify catalog items like services or products

  • No access to workspace-level configuration.

Receptionist

Supports scheduling and client communication without accessing sensitive clinical content.

Best for: Reception and front desk or intake staff

Access includes:

  • Client records (contact details, bookings)

  • Appointment management across all practitioners

  • Invoices, payments, receipts

  • Limited reports and minimal settings (SMS only)

Optional:

  • Clinical notes and letters if absolutely necessary (disabled by default)

Accountant

Focused on finance and compliance. Accountants require clarity, not complexity. They get everything needed for compliance and reporting, nothing more.

Best for: Internal or external finance professionals.

Access includes:

  • Client names for context

  • Invoices, payments, tax settings, financial reports

  • Integrations

No access to: Client files, notes, letters, or workspace/user management.

Customising role permissions

You may refine permissions to match your clinic’s needs. Every role except Practitioner Admin can be modified using three types of permissions:

Level
Meaning

Full

User can access everything in that category

Limited

User can only access items related to them

None

No access

If a permission doesn’t appear for a role, it means that setting is fixed and cannot be changed. Some permissions are required for the role to function correctly, while others are intentionally restricted for security and system integrity. If a user needs access that their role does not allow, consider assigning a different role that better matches their responsibilities.

How to edit role permissions

  1. Go to SettingsPermissions

  2. Find the role you want to update and click Actions Edit.

  1. Adjust the access levels as required for each area (Full, Limited, or None, where applicable).

  2. Click Save.

Best practice: Only grant access to sensitive data when it is necessary for the user’s responsibilities. Limiting permissions reduces risk, protects client information, and keeps your workspace secure.

How to assign roles to users

Roles determine what a user can access and do in Caspen.

  1. Go to Settings Users.

  2. Open an existing user (ActionsEdit) or create a new user (+ Add user).

  3. Select the user’s Role from the dropdown.

  4. Click Save.

What happens next

  • New users: Once they accept their invitation and log in for the first time, their access will reflect the assigned role.

  • Existing users: Changes take effect immediately. Their permissions update as soon as the role is saved, no further action required.

Tip: Adding users and assigning locations/services is covered in Add your team members.

Last updated