How to Set Counsellor Roles and Permissions
ASH Team · 13 July 2026 · 5 min read
As a counselling team grows past a handful of people, "everyone can see everything" stops being convenient and starts being a liability. A junior counsellor should not be exporting your entire enquiry database, and a team leader should not be waiting on the owner to change a setting. ASH handles this with role-based access, so each person works with exactly what their job needs and nothing more.
The roles you start with
- Owner — full control of the workspace, billing and integrations. Usually the founder or director. Keep this to one or two people.
- Manager — sees all leads and conversations, assigns work, runs reports and invites members, but cannot touch billing. This is your admissions head or team leader.
- Counsellor — the day-to-day role. Sees and works only their own assigned leads, tasks and conversations, sends messages, and reads the knowledge base.
- Support Executive — similar to a counsellor, oriented to post-enquiry support and ticket handling.
- Custom — build a role from scratch by picking permissions individually when none of the above fits.
Own versus all — the scope that matters
Most permissions come in two scopes. A counsellor typically has view own leads, meaning they only see records assigned to them. A manager has view all leads, covering the whole workspace. The same split applies to conversations, tasks and reports. Getting this scope right is what keeps one counsellor from browsing another's pipeline while still letting your team leader see the full picture.
Fine-tuning with per-user overrides
Roles set the baseline, but people are exceptions. ASH lets you grant or deny a single permission on top of a person's role. Say a senior counsellor should be allowed to export leads for one campaign — you can grant export leads to just that user, and even set it to expire automatically. A deny always wins over a grant, so you can also revoke one specific capability without changing someone's whole role.
Guardrails that prevent mistakes
Two protections are built in. First, nobody can assign a role higher than their own — a manager cannot promote someone to owner, which stops privilege escalation. Second, the riskier permissions such as delete leads, remove members, manage API keys and export are clearly flagged as sensitive on the permissions screen, so you grant them deliberately rather than by accident.
A sensible starting point
For a typical admissions team: one or two owners, your admissions head as manager, and every counsellor on the counsellor role with "own" scope. Add overrides only where a real need appears, and review the whole setup from the Team screen at any time. If you are setting up an education workspace, pair this with our education CRM, and see how the same roles shape your shared WhatsApp inbox.
Ready to capture every lead on WhatsApp?
Start your free trial