Skip to content
OneForce Care
Browse help topics

Roles and access

Who can see what: owners, admins, provider employees and support workers.

Last updated · 3 July 2026


Every person in your workspace has a role, and the role decides which menus, screens and actions they can use. Understanding the four roles helps you invite the right people and give them the right access.

The four roles

RoleWhat they can do
OwnerFull access to everything, plus the settings only an owner sees: business details, billing, the Xero connection, and workspace features. There is exactly one owner per workspace.
AdminFull access to the day-to-day app (participants, scheduling, finance, reports and so on), plus role-based access. Can’t open Billing, Integrations or Features.
Provider employeeAccess only to the screens and actions their assigned custom role allows. Shown as Provider when you set a worker’s account type.
Support workerDelivers shifts. Support workers sign in to the OneForce Care mobile app only and have no access to the office app.
The Organisation tab as the provider owner sees it, with the Business details card above the Role-based access section listing custom roles and a Create role button.

Note

Support workers never see the office app, so anything you want them to do on a shift (notes, clock in and out, incidents) happens in the mobile app. See the Mobile app guides.

Where access is set

The Account Organisation tab holds both business details and role-based access, and it looks different depending on who opens it:

  • Owners see their Business details card, with the Role-based access section underneath it.
  • Admins see only Role-based access; it’s the whole tab for them.
  • Provider employees and support workers don’t get an Organisation tab at all.

Custom roles

In Role-based access, select Create role to name a new role and choose which screens it can read, and which of create, edit and delete it also allows on each one. The table lists every role you’ve created:

ColumnShows
NameThe role’s name
ScreensHow many screens it can read
WorkersHow many people are currently assigned to it
ActionsView the people assigned, Edit, and Delete

Before you create any roles, the table reads “No roles yet. Create one to assign permissions to provider employees.” A role with people still assigned can’t be deleted; the delete action is disabled with a tooltip such as “3 workers assigned. Reassign first.” Deleting an unassigned role opens a confirm dialog titled Delete “<role name>”?, warning “This role will be permanently deleted. Workers currently assigned to it will lose their access role.”

Note

Owners and admins always have full access, whatever a custom role says. Roles only shape what provider employees can do.

A person’s account type

A worker’s access is set on their own record, on the Access tab: Support worker, Provider (a provider employee, who then also picks one of your custom roles) or Admin. See Worker access for creating their login, resending invites and resetting passwords.

Two-factor authentication

On the Account Account tab, the owner gets a Workspace MFA enforcement card that requires two-factor authentication separately for each group: Owner (you), Admins, Provider employees, and Support workers (mobile app), which is enforced in the mobile app only. Turning a group on asks you to confirm, for example “Require 2FA for Admins?”, and those members must set it up on their next sign-in. Turning a group off removes 2FA from anyone in it who isn’t required by another rule.

Tip

Invite your team from Workforce Workers with Invite worker, then set each person’s account type on their Access tab. See Invite a worker.