Roles and Permissions in Warp
Last updated: May 19, 2026
How to customize roles and permissions in Warp
Warp gives you fine-grained control over what each admin can see and do — down to the product area and action level. This guide covers how to set up roles, assign the right permissions, and keep your admin access organized as your team grows.
What's changing and what's not
If you're an existing Warp admin - Nothing has changed for you. Your current permissions remain exactly as they are, regardless of your role.
If you're setting up new admins going forward - New admins will be assigned access based on the default role selected at invite. Default roles follow a least-privilege model — they include only what that function needs and nothing else. Any additional access has to be explicitly granted. For example, the HR Manager role does not include payroll access by default. If an admin needs payroll access, you'll need to add it manually via a custom role.
Where to manage admin access
Go to Settings > Admins.
You'll see four tabs:
Tab | What it's for |
|---|---|
Admins | View all current admins, update roles, suspend or remove access. |
Pending Invitations | View, resend, or revoke invites that haven't been accepted yet. |
Roles | Create and edit roles, including names, descriptions, colors, and permissions. |
Security | Require MFA for all company admins. |
Don't see this page? You need Authorized Users: Read access to view the Admins area at all. To invite admins, change roles, or edit permissions, you need Authorized Users: Write or Manage. If you need your own permissions updated, reach out to your company's Owner or main admin — Warp Support can't grant or change permissions without owner approval.
Key concepts
Admins
Admins are users who can log into your company's Warp admin workspace. Each admin has a name, email, role, and status — either Active or Suspended.
Suspending an admin disables their access but keeps them in the list (useful if someone is on leave or you need a paper trail). Removing an admin fully revokes their access.
Owner
Every Warp company has one Owner. The Owner has protected access — they can't be suspended or removed from the Admins page. The Owner, or any admin with Authorized Users: Manage, is responsible for approving role and permission changes across the team.
Roles
A role is a saved set of permissions. When you assign a role to an admin, they immediately get the access that role defines — nothing more, nothing less.
Each role has:
Name — shown in tables and dropdowns
Description — optional, shown when selecting a role
Color — used for role tags in the sidebar
Permissions — what the role can actually do
One role can be assigned to as many admins as you need — you build it once and apply it to everyone with that function. If you update a role, the change takes effect immediately for every admin using it. Warp shows you exactly who'll be affected before you confirm.
Permission levels
Each permission area — like Payroll, Benefits, or Workers — can be set to one of four access levels:
Level | What it means |
|---|---|
None | No access to that area. |
Read | Can view information, but not make changes. |
Write | Can view and make changes. Includes Read. |
Manage | Full control — includes high-risk actions like approvals, exports, destructive changes, and configuration. Includes Write and Read. |
Not every permission supports all four levels. For example, Worker Dependents and Dependent PII (personally identifiable information — sensitive data like SSNs, dates of birth, and home addresses) only go up to Write.
Default roles
Warp comes with nine pre-built roles covering the most common use cases. You can assign these as-is or use them as a starting point for something more tailored.
Role | Best for | What it includes |
|---|---|---|
Admin | Anyone who needs full, unrestricted access. | Full Manage access to everything. Cannot be edited. |
HR Manager | HR teams managing the employee lifecycle. | Manages profiles, compliance, offers, departments, time off, time tracking, and learning. No payroll access by default. |
Hiring Manager | Teams responsible for sending offers. | Can view profiles, departments, and workplaces. Can create and manage offers only — no HR or payroll access. |
IT Manager | IT teams managing devices and app provisioning. | Manages worker app access and device management. Can view authorized users and developer settings. |
Accountant | Finance users who need to review payroll output. | Read access to workers, compensation, payroll, banking, tax compliance, and settings. Manages general ledger. |
Global Payroll Manager | Payroll admins running non-US payroll. | Manages global compensation, global payrolls, and pay schedules. Can view workers, compliance, banking, and GL. |
Full Payroll Manager | Payroll admins running US payroll. | Manages US compensation, US payrolls, pay schedules, and time tracking. Can update worker banking and tax compliance. Can view worker PII and accounting context. |
Benefits Manager | Benefits admins. | Manages benefits and worker dependents. Can view worker profiles, worker PII, and dependent PII. |
Compliance Auditor | Compliance and audit teams. | Read access to profiles, PII, dependents, tax compliance, KYB, settings, and workplaces. Manages worker compliance workflows. |
If a default role doesn't exist in your company yet, Warp creates it automatically when you select it from the dropdown.
Custom roles
Use a custom role when none of the defaults are quite right. Common examples:
A payroll-only role for someone who runs payroll but shouldn't touch HR data
A read-only finance role for someone who needs to see payroll output but not edit anything
A limited HR role for an HRBP who manages one team but shouldn't see company-wide personally identifiable information
An IT role scoped to device management with no access to compensation or benefits
To create a custom role:
Go to Settings > Admins > Roles
Click Create new role
Enter a name, optional description, and color
Set permissions in the Access section (use Capabilities to get started faster — see below)
Click Create role
You can also create a new role on the fly while inviting an admin or updating an existing admin's role.
To edit an existing role:
Go to Settings > Admins > Roles
Open the actions menu next to the role
Click Edit role
Update the name, description, or permissions
Review which admins will be affected — Warp surfaces this before you confirm
Confirm the change
The Admin role cannot be edited — it represents full, unrestricted access to your Warp account.
Capabilities
When building a custom role, Capabilities are a faster way to get started. Instead of setting every permission manually, you pick a Capability and it fills in the full set of permissions that function typically needs.
You can still tweak individual permissions after applying a Capability — they're a starting point, not a lock-in.
Capability | What it's for | Permissions it adds |
|---|---|---|
Hire People | Create hires and complete onboarding. | Employee & Contractor Profiles: Manage · Benefits: Read · Time Off: Read · Workplaces: Read · Pay Schedules: Read · Tax Compliance: Read |
Run US Payrolls | Prepare and run US payroll. | US Payrolls: Write · Pay Schedules: Read · Employee & Contractor Profiles: Read · US Compensation: Read · Tax Compliance: Read |
Run Global Payrolls | Prepare and run global payroll. | Global Payrolls: Write · Pay Schedules: Read · Employee & Contractor Profiles: Read · Global Compensation: Read |
Administer Benefits | Manage benefits enrollment and plans. | Benefits: Write · Employee & Contractor Profiles: Read · Worker Dependents: Read · Dependent PII: Read |
Configure Time Tracking | Set up time tracking policies. | Time Tracking: Manage · Employee & Contractor Profiles: Read · Workplaces: Read · Pay Schedules: Read |
Review Expenses | Approve or deny expense requests. | Expenses: Write · Employee & Contractor Profiles: Read |
Provision IT Access | Manage devices and app access for workers. | Worker Access: Manage · Device Management: Manage · Employee & Contractor Profiles: Read |
Post Payroll to ERP | Post payroll journals to your accounting system. | General Ledger: Write · US Payrolls: Read · Global Payrolls: Read |
If you remove a Capability, it removes the permissions it added — unless another applied Capability also needs them.
Common role combinations
Not sure what permissions someone actually needs? Here are the most common setups:
Someone who runs US payroll end-to-end Use the Full Payroll Manager default, or apply Run US Payrolls and add:
US Compensation: Read (to see pay rates)
Tax Compliance: Read (to catch filing issues)
Worker Banking: Write (to update direct deposit if needed)
Someone who handles onboarding and offboarding Apply Hire People. If they also manage time off policies or assign pay schedules, add:
Time Off: Manage
Pay Schedules: Manage
A benefits admin who also manages dependents Apply Administer Benefits — this already includes Worker Dependents: Read and Dependent PII: Read. If they need to update dependent SSNs or DOBs, bump Dependent PII to Write.
An IT admin scoped to provisioning only Apply Provision IT Access. Leave Employee & Contractor Profiles at Read and skip everything else.
A finance reviewer who should see — but not touch — payroll Skip Capabilities and set manually:
US Payrolls: Read
Global Payrolls: Read
General Ledger: Read
US Compensation: Read
Worker Banking: Read
Inviting admins
Go to Settings > Admins
Enter the person's first name, last name, and email
Select a role — or create a new one right from the dropdown
Click Invite
Invites expire after 7 days. You can resend or revoke them from Settings > Admins > Pending Invitations.
Managing existing admins
In Settings > Admins, each row shows the admin's name, email, role, and current status.
Action | What it does |
|---|---|
Update Role | Assigns a different role. Takes effect immediately. |
Suspend | Disables access without removing the admin from the list. |
Unsuspend | Restores access for a suspended admin. |
Remove | Permanently removes admin access. |
Changing a role mid-workflow? Permission changes take effect immediately — they don't wait for an active payroll run or pending approval to finish. Make sure any in-flight work is handed off or completed before changing or removing access.
You cannot update, suspend, or remove the Owner from this table.
Requiring MFA
Go to Settings > Admins > Security and enable Require MFA.
Once enabled, all company admins must use multi-factor authentication to log in. We recommend turning this on for any company with more than one admin, especially if anyone has access to payroll, PII, or billing.
Permission reference
Use this section when building a custom role and you need to know exactly what a permission covers at each level.
Workers
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Employee & Contractor Profiles | Position, department, workplace, and general worker info. Sensitive PII is a separate permission. | View profiles. | Update position, start date, department, and similar fields. | Invite and offboard workers. |
Global Compensation | Compensation for global contractors. | View compensation. | Update compensation. | Approve out-of-band changes. |
US Compensation | Compensation for W-2 employees and 1099 contractors. | View compensation. | Update compensation. | Approve off-cycle and retroactive changes. |
Worker Compliance | I-9s and tax exemption documents. | View submissions. | Verify I-9s and approve tax exemptions. | Configure compliance workflows. |
Worker PII | SSN/TIN, date of birth, and home address. | View PII. | Update PII. | Bulk export via CSV or API. |
Worker Banking | Banking and direct deposit details. | View status and masked account info. | Update or verify banking details. | Export details and manage verification workflows. |
Worker Access | App provisioning, access groups, Okta, and Google Workspace integrations. | View access groups and app assignments. | Assign and remove workers from access groups and apps. | Configure access groups and identity provider integrations. |
Worker Dependents | Spouses, children, and domestic partners linked for benefits enrollment. | View dependents. | Add, update, and remove dependents. | Not available. |
Dependent PII | SSN/TIN and date of birth for worker dependents. | View dependent SSN and DOB. | Update dependent SSN and DOB. | Not available. |
Payroll
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Global Payrolls | Global payroll runs and configuration. | View runs. | Create and edit runs. | Configure settings and approvers. |
US Payrolls | US payroll runs, adjustments, and tax filings. | View runs. | Create, edit, and approve runs. | Configure settings and bank accounts. |
Pay Schedules | Pay schedule setup across all payroll products. | View schedules. | Update configuration. | Create, delete, and assign workers to schedules. |
Offers
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Offers | Candidate offers, contracts, and offer portal configuration. | View offers. | Send and sign offers. | Configure the offer portal and custom contract templates. |
Expenses
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Expenses | Employee expense requests. | View expenses. | Approve and deny requests. | Configure expense policies. |
Company
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Departments | Department catalog. Worker department labels are included with Employee & Contractor Profiles access. | View departments. | Create and rename departments. | Delete departments. |
Workplaces | Physical and virtual work locations. | View workplaces. | Create and update workplaces. | Archive workplaces. |
Time Off
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Time Off | PTO requests, policies, and balances. | View requests, policies, and balances. | Approve and deny requests. | Create and update policies and assign workers. |
Shifts
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Time Tracking | Shift tracking, timesheets, and policies. | View timesheets. | Approve and deny shifts. | Create and update policies and assign workers. |
Finance
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
General Ledger | Payroll journal postings and ERP integrations. | View GL postings and mappings. | Manually post payroll journals. | Configure ERP integrations and mappings. |
Benefits
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Benefits | Benefits enrollment and plan administration. | View enrollments and plans. | Update enrollments and plan details. | Configure plan offerings and open enrollment. |
Compliance
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Tax Compliance | Company tax registrations, filings, and notices. | View registrations, filings, and notices. | Respond to notices and submit filings. | Register or deregister in jurisdictions and configure tax settings. |
KYB | Legal entity details, company signatory, and beneficial owners. | View signatory and stakeholders. | Add, update, and remove stakeholders. | Update signatory and submit or respond to KYB attestations. |
IT
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Device Management | MDM, enrolled devices, and policies. | View devices and compliance state. | Issue commands like lock or wipe. | Create and update device policies. |
Learning
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Learning Management | Courses, enrollments, and completions. | View learnings, enrollments, and completion status. | Assign learnings and update enrollments. | Create learnings and configure learning programs. |
Settings
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Authorized Users | Admin accounts and role assignments. | View admins and their roles. | Invite and remove admins. | Create, update, and assign roles. |
Billing | Invoices, add-ons, and payment methods. | View invoices, plan, and billing history. | Purchase add-ons. | Change payment methods and billing configuration. |
Settings | Company info, branding, Slack, and other admin-level settings. | View settings. | Update company info and most settings. | Update legal-identity fields and disconnect integrations. |
Developer
Permission | What it covers | Read | Write | Manage |
|---|---|---|---|---|
Developer | API keys, webhooks, and integration credentials. | View API keys and webhook configs. | Create API keys and webhook configs, and send test events. | Reveal secrets, rotate credentials, and delete configs. |
Best practices
Start narrow, expand as needed. It's easier to add permissions later than to explain why someone had access they shouldn't have. Default to Read where you're unsure, and only escalate to Write or Manage when the role clearly requires it.
Be intentional with high-risk permissions. Worker sensitive data (PII), Worker Banking, US/Global Payrolls: Manage, Billing, Developer, and Authorized Users: Manage all carry real risk if they end up with the wrong person. Review these carefully before assigning.
Use Suspend instead of Remove when in doubt. Suspending keeps the admin in your list with their role intact, making it easy to restore access if needed. Removing is permanent.
Audit roles when your team changes. When someone changes roles internally, leaves the company, or moves to a different function, update or remove their admin access the same day. Stale access is one of the most common issues we see.
Name custom roles clearly. "Payroll - Read Only" is more useful in a dropdown than "Finance Custom 2." The description field helps too — it shows up when someone is selecting a role during an invite.
Frequently asked questions
Someone says they can't see a certain area in Warp. What should I check?
Go to Settings > Admins, find the admin, and check their current role. Then go to Settings > Admins > Roles, open that role, and verify the permission for the area they're trying to access isn't set to None. If it is, update the role or assign them a different one. Role changes take effect immediately.
An invite expired. Can I resend it?
Yes. Go to Settings > Admins > Pending Invitations and click Resend. This generates a fresh 7-day invite link. If the invite is no longer needed, you can revoke it from the same page.
Can two admins share the same role?
Yes — one role can be assigned to as many admins as needed. Keep in mind that editing a shared role affects everyone using it, so review who's assigned before making changes.
What's the difference between suspending and removing an admin?
Suspending disables access but keeps the admin in your list with their role intact — easy to reverse. Removing permanently revokes access. Use suspend for temporary situations (leave, role transitions) and remove when someone has left the company.
Can I have more than one Owner?
No — each Warp company has exactly one Owner. The Owner role is protected and can't be changed or transferred from the Admins page. Contact Warp Support if you need to transfer ownership.
I updated a role and now an admin lost access they needed. How do I fix it?
Go to Settings > Admins > Roles, edit the role, and restore the permission. Role changes apply immediately, so the fix takes effect as soon as you save. If the issue involved an in-progress workflow like a payroll run, check whether the permission was changed from Write or Manage down to Read or None mid-action.