The problem this solves
Most construction software is single-tenant in spirit. The owner buys it, the owner uses it, and when an employee gets added, the owner just shrugs and shares everything. The junior helper now sees what the customer paid. The 1099 sub sees the customer list. The salesperson sees what every other salesperson is making.
This works until it doesn't. The employee mentions to a customer how much margin you have. The sub poaches one of your customers next year. The salesperson finds out the other rep gets a higher split and quits. None of these failure modes are unrealistic. All of them have happened to contractors using software that did not have proper role permissions.
The fix is not "trust the team less." The fix is "share less by default and turn things on when they need to know."
How Workhand handles it
Five built-in roles handle 95% of contractor team structures:
- Owner — full access to everything: company settings, billing, integrations, role configuration, every job, every customer, every dollar. Only one owner per account.
- Admin — everything the owner can do except billing and changing role configurations. For office managers and partners.
- Employee — sees assigned jobs, logs progress, chats with the owner, but does not see pricing or profit by default. For W-2 crew.
- Sales — sees their own pipeline, the customers they brought in, the estimates they wrote. Does not see internal job costs or what other reps are doing. For 1099 outside sales reps.
- Sub — most restricted. Only sees the jobs they are explicitly invited to. The customer list, other jobs, internal chat are all invisible. For 1099 plumbers, electricians, HVAC contractors brought in per-job.
On top of the 5 roles, there are 13 individual capability toggles that can be turned on per-role or per-user. Most owners use the defaults. The few who customize do so for things like "the lead foreman gets profit visibility because he does cost-plus billing" or "the sales manager can edit estimates of other reps" or "trusted long-term sub gets the customer chat thread."
| Role | Sees pricing? | Sees profit? | Customer list? | Other jobs? |
|---|---|---|---|---|
| Owner | Yes | Yes | All | All |
| Admin | Yes | Yes | All | All |
| Employee | No (default) | No (default) | No | Assigned only |
| Sales | Their estimates | No | Their customers | Their pipeline only |
| Sub | Their line items | No | No | Invited jobs only |
Why database-enforced beats UI-hidden
Many SaaS apps "implement" role permissions by just hiding buttons in the UI. The data is still in the customer's browser or app cache, the API still returns it, and anyone curious with developer tools can see what was hidden. This is theater, not security.
Workhand enforces permissions at the database layer via Postgres Row-Level Security (RLS). When the employee opens the app, the database checks their role and only returns rows their role is allowed to see. Pricing fields literally do not arrive on the device. Profit calculations never happen for them. The customer list query returns zero rows. Even if someone bypassed the UI, there is nothing in the data stream to see, because the database refused to return it in the first place.
This is the same mechanism banks use. It is the right level of access control for a multi-user business app, and most contractor SaaS does not have it.
Capabilities you can toggle per role
- Pricing visibility on estimates, invoices, line items
- Profit visibility (cost-vs-charge per job)
- Create new estimates
- Send estimates to customer
- Create new invoices
- Send invoices to customer
- Chat with the customer (separate from crew chat)
- Edit job structure (tabs, line items, schedule)
- Mark jobs complete
- View customer list
- Create new customer records
- Add or remove team members from a job
- Access reports and dashboards
Who this is built for
- Contractors with 3-15 employees who hire helpers and want to share less by default
- Pool builders who hire 1099 tile crews, plaster crews, deck crews per job
- Remodelers running multiple subs (plumbing, electrical, HVAC, drywall) through every job
- Service companies with outside sales reps on 1099 commission who shouldn't see margin
- Pool service routes with multiple techs where each tech only handles their own accounts
- Anyone burned once by an employee or sub seeing more than they should have
Try Workhand free
Multi-role access control is on the Team plan at 89.99 per month. Pro at 34.99 per month gets you Owner plus invited helpers without the full per-role matrix. 14-day free trial.
Get the app See pricingCommon questions
What user roles does Workhand support?
Five built-in roles. Owner has full access to everything including company settings, billing, integrations, and role configuration. Admin is everything Owner has except billing and role config. Employee is the day-to-day crew member who can see assigned jobs, log progress, chat with the owner, but does not see pricing or profit by default. Sales sees their own pipeline and the customers they brought in, not internal job costs. Sub is the most restricted role: they only see the jobs they are explicitly invited to and nothing else. Each role can be tuned with 13 individual capability toggles.
Can employees see how much I'm charging the customer?
No, by default. The Employee role does not see pricing on estimates, invoices, or line items. They see what they need to do the work, not what the customer is paying for it. If you trust a specific employee with pricing visibility (typical for a lead foreman or project manager who handles billing questions in the field), you toggle the pricing-visibility capability on for that role or that individual user. The toggle is in Settings then Roles.
Can subs see jobs they're not on?
No. Subs are the most restricted role in the system. They are invited per-job and only see the jobs they are explicitly invited to. The customer list is invisible to them. The other jobs in the company are invisible to them. The internal chat between the crew is invisible to them. They see the job they were brought in for, can message about that job, and that is it. This is one of the most-requested features from contractors who run plumbing, electrical, and HVAC subs through their job sites.
How is this enforced? Could a tech-savvy employee bypass it?
Permissions are enforced at the database layer via Postgres RLS (Row-Level Security), not just hidden in the UI. That means even if an employee tried to pull data directly from the API, the database itself refuses to return rows their role is not allowed to see. UI-only permissions can be bypassed by someone curious. Database-enforced permissions cannot, because the database literally does not return the data to the user's session in the first place. This is the same mechanism banks use.
Do salespeople see internal costs and margin?
No. The Sales role is built for 1099 outside reps who get a commission on closed jobs. They see their own pipeline, the customers they brought in, and the estimates they wrote. They do not see internal job costs, profit margin, or what other salespeople are doing. This protects margin information that should not be on a 1099 rep's phone and prevents sales-team comparison drama.
Can I let one employee see profit but not another?
Yes. The 13 capability toggles can be set at the role level (apply to everyone in that role) or overridden at the individual user level. The classic setup: most employees do not see profit, but the lead foreman who does cost-plus billing for time and materials does see profit per job because he needs the number to talk to the customer. Configure that as an individual user override on his account.
Is there an audit trail of who did what?
Yes for sensitive actions. Role changes, permission changes, customer creation and deletion, invoice creation and sending, and estimate sending are all logged with who and when. The audit log is visible to the Owner. This matters when an employee leaves or you need to figure out why an invoice went out incorrectly. It is not a full keystroke log, just the structurally important actions.
What does this cost?
Multi-role access control is on the Team plan at 89.99 per month. Pro at 34.99 per month gets you Owner plus invited helpers but without the per-role capability matrix. Team adds the full 5-role + 13-capability system, audit log, and sub-invitation flow. Free plan is single-user.