Default roles

Every new church on GCM is seeded with three roles the moment its workspace is provisioned: Administrator, Leader, and Viewer. They cover the vast majority of org chart shapes — a small church can run forever on just these three. You can't rename or delete them (they carry the is_system = true flag), but you can adjust which permissions each one grants, and you can layer custom roles on top.

TIP

If you've never opened the matrix, start with Users & Roles for the conceptual model, then come back here for the field-by-field breakdown.

Administrator

The Administrator role holds every permission in the catalogue — all 68 keys are toggled on by default. This is the role for the lead pastor, the executive admin, and anyone else who needs to configure the workspace itself: billing, integrations, the org structure, the role catalogue you're looking at right now.

Specifically, Administrator includes:

• Full member CRUD plus the merge tool (members.create, members.edit, members.delete, members.merge).
• All giving access (giving.view, giving.record, giving.manage) — record donations, edit historical entries, manage funds.
• All reports, including approve and unlock (reports.approve, reports.unlock).
• The configuration keys: config.manage, users.manage, billing.manage, org_units.manage.
• Every sending verb: messaging.send, notifications.send, workflows.execute.

A church should have at least one Administrator at all times. The database enforces this for platform admins via a trigger, but at the org level, it's up to you. If your only Administrator gets locked out, see Recovering a locked-out user.

Leader

Leader is the "trusted operator" role — someone who runs day-to-day ministry without touching billing, integrations, or the role catalogue. The seed grants every permission whose action is view, create, edit, mark, or send. That works out to roughly two-thirds of the catalogue.

What a Leader can do:

• View and add members; edit existing ones; mark attendance; record donations.
• Send messages, send notifications, file reports.
• View funds, events, ministries, groups, the map, and demographics.

What a Leader cannot do:

• Delete records (no members.delete, no reports.delete).
• Manage the role catalogue or billing (no users.manage, no billing.manage, no config.manage).
• Approve or unlock reports submitted by others.
• Merge duplicate members.

Pair Leader with an org-unit assignment and you have what most churches call a shepherd — a leader who oversees one branch or center and sees only members assigned to that slice of the tree.

Viewer

Viewer is read-only across the board. The seed grants only view actions, nothing else. This is the role for board members, auditors, the analytics consultant your denomination sent over, and anyone who needs to see numbers without changing them.

A Viewer can open the dashboard, drill into reports, browse member profiles, look at giving totals — but every save button is hidden, every delete button is greyed out, and every edge function rejects the request with a permission-denied response if they somehow trigger one.

Viewer is also useful as a probation role: if you're not sure whether a new staffer is ready for write access, start them on Viewer, watch what they ask for, and promote them once they've earned the rest.

Why these three and not seven?

Earlier versions of GCM shipped with named roles like Pastor, Shepherd, Treasurer, Worship Leader, and so on. We learned over hundreds of onboarding calls that those titles rarely matched what a given church actually meant by them — one church's Shepherd was another church's Leader, and Treasurer sometimes meant the person who counts cash and sometimes meant the person who signs the audit report. Hard-coding titles forced churches to either redefine their vocabulary to match ours or work around our defaults.

So we stripped it back to the three semantic tiers — full control, write access, read access — and made it trivial to spin up custom roles with the names your church actually uses. The walkthrough is in Create a custom role.

Editing what the defaults grant

You can toggle individual permissions on or off for any of the seeded roles. Open the Roles & Permissions tab, scroll the matrix to the column for the role, find the row for the permission, and flip the switch. The change writes to role_permissions_v2 immediately — any user with that role sees the new behaviour on their next page load.

WARNING

Stripping users.manage from Administrator and then signing out is one of the only ways to genuinely lock yourself out of the role catalogue. The Roles & Permissions tab itself requires users.manage. If you do this and you're the only Administrator, you'll need Recover a locked-out user to get back in.

Where to go next

• Create a custom role — when the defaults aren't enough.
• Granting permissions — the matrix in depth.
• Scoped permissions — restrict a Leader to one branch.
• Invite a user — assign these roles to a real account.