Understanding qbo user permissions is one of the most critical skills any QuickBooks Online administrator, bookkeeper, or ProAdvisor needs to master. When you add team members, employees, or outside contractors to your QuickBooks Online company file, you must decide exactly what each person can see, edit, create, and delete. Getting this wrong can expose sensitive financial data, allow unauthorized transactions, or create compliance headaches that take hours to unravel. The good news is that QBO has a layered, role-based permission system designed to give you granular control over every user's experience.
Understanding qbo user permissions is one of the most critical skills any QuickBooks Online administrator, bookkeeper, or ProAdvisor needs to master. When you add team members, employees, or outside contractors to your QuickBooks Online company file, you must decide exactly what each person can see, edit, create, and delete. Getting this wrong can expose sensitive financial data, allow unauthorized transactions, or create compliance headaches that take hours to unravel. The good news is that QBO has a layered, role-based permission system designed to give you granular control over every user's experience.
QuickBooks Online supports several distinct user types, and each type carries a different default level of access. The primary administrator holds the highest level of authority โ this person can add or remove other users, change subscription plans, and access every corner of the company file without restriction. Company administrators share most of these privileges but cannot manage billing or transfer primary admin status. Standard users occupy a middle tier, and their permissions can be customized across areas like sales, expenses, inventory, and reports. Time-tracking-only and reports-only users are purpose-built for specific job functions with minimal broader access.
For small business owners who rely on a single bookkeeper or accountant, getting permissions right is straightforward. But as organizations grow and more people need access โ sales staff entering invoices, purchasing managers approving bills, payroll clerks running pay runs โ the permission matrix becomes more complex. Each role needs enough access to do their job efficiently, but not so much that they can accidentally or intentionally alter records outside their responsibility. This principle of least privilege is a cornerstone of sound internal controls and is something the QuickBooks ProAdvisor certification exam tests you on directly.
One of the most common mistakes new QBO administrators make is defaulting to admin-level access for every user because it's the easiest way to prevent access complaints. This approach creates serious security risks. A single compromised login can give an attacker full control over your financial data, banking connections, and vendor records. It also violates segregation-of-duties requirements that many industries mandate. Properly scoped permissions ensure that no single user can both create a vendor and approve a payment to that same vendor โ a classic fraud prevention control.
QuickBooks Online's user permission settings live under the Manage Users section, accessible from the Gear icon in the upper right corner of any QBO company file. From there, you can invite new users via email, assign their user type, and customize their access levels before they ever log in for the first time. You can also edit permissions for existing users at any time without disrupting their work, and you can deactivate accounts instantly when an employee leaves โ an important step that many businesses overlook, leaving former employees with active access long after their departure.
For ProAdvisors working with multiple clients, understanding the difference between client-facing user permissions and accountant access is equally important. The Accountant user role in QBO is specifically designed for outside advisors โ it grants broad access for cleanup and review tasks while keeping the advisor's login separate from the client's regular team. ProAdvisors can even use the QuickBooks Online Accountant platform to access all of their clients' files from a single dashboard without needing to be listed as a standard user in each individual company file. This architecture makes permission management far more scalable across a large client base.
Whether you're preparing for the Certified QuickBooks ProAdvisor exam or simply trying to tighten up access controls for your own business or clients, building a thorough understanding of QBO's permission framework pays dividends across security, compliance, and operational efficiency. The sections below walk through each user type in detail, explain how to configure custom permissions, highlight common pitfalls, and give you the practical knowledge you need to administer user access with confidence.
The highest-level user in any QBO company file. Can manage billing, transfer admin status, add or remove all other users, and access every feature without restriction. Only one primary admin is allowed per company file at any time.
Nearly identical to the primary admin but cannot manage billing or assume the primary admin role. Ideal for trusted internal managers who need full operational access without billing authority. Multiple company admins are permitted per file.
The most configurable user type. Access can be set to all areas, limited to specific functions (like sales only or expenses only), or restricted to view-only. Perfect for employees whose job function touches only part of the accounting workflow.
Gives a user read-only access to QuickBooks reports without exposing underlying transaction data or allowing any edits. Useful for executives, investors, or department heads who need financial visibility but should not touch the books directly.
Restricts a user to entering and editing their own timesheets only. No access to financial data, reports, or other users' records. Designed for hourly employees or contractors who need to log hours but have no other accounting role.
Setting and customizing permissions in QuickBooks Online begins in the Manage Users panel. To reach it, click the Gear icon in the upper right corner of your QBO dashboard, then select Manage Users under the Your Company column. From this screen you'll see a list of all current users, their user types, and their status โ Active, Invited, or Inactive. To add a new user, click the Add User button, select their user type from the dropdown menu, and enter their email address. QBO will send them an invitation link that they must accept before their account becomes active.
When you select Standard User as the user type, QBO presents you with a multi-step customization wizard. The first screen asks you to choose between All Access, Limited, and Time Tracking Only within the standard tier. If you choose Limited, a second screen breaks access into five categories: Sales and Customers, Purchases and Vendors, Checking and Credit Cards, Payroll, and Sensitive Accounting Activities. You can toggle each category on or off, and for some categories you can choose between view-only and full edit access, giving you a two-dimensional permission matrix for each user.
The Sensitive Accounting Activities toggle deserves special attention. This setting controls whether the user can access functions like voiding transactions, modifying the chart of accounts, managing 1099 contractors, and making journal entries. For most non-accountant staff, this toggle should remain off. Enabling it for standard employees significantly increases the risk of accidental or intentional data modification. Even well-intentioned employees can cause serious accounting damage if they accidentally void a cleared transaction or delete a reconciled entry without understanding the downstream consequences.
Payroll permissions in QBO are handled somewhat separately from other access areas. Because payroll data contains sensitive personal information โ Social Security numbers, bank account details, salary information โ QBO restricts payroll access to users who are explicitly granted it. Even company administrators do not automatically see payroll data unless it is specifically enabled for their role. When you grant a user payroll access, you should verify that this is truly necessary for their job function and document the business reason for the access, especially in environments subject to HR compliance audits.
Editing permissions for existing users is equally straightforward. From the Manage Users screen, click the dropdown arrow next to any active user and select Edit. You'll see the same permission wizard you used when creating the account, and you can adjust any setting immediately. Changes take effect in real time โ the user does not need to log out and back in for most permission updates to apply. However, some changes, particularly to payroll access, may require the user to refresh their session to see the updated menu options in their interface.
Deactivating a user account is a critical step that many businesses delay or forget entirely. When an employee leaves, their QBO account should be deactivated the same day โ ideally within the same hour. From the Manage Users panel, click the dropdown next to the departing user and select Delete. QBO will confirm the action.
The user's historical transactions remain intact; only their login access is removed. If the user later rejoins the company, you can re-invite them with a new email-based invitation. Best practice is to incorporate QBO account deactivation into your formal employee offboarding checklist so it never gets skipped.
For ProAdvisors managing client files, the Accountant user role operates somewhat differently from standard users. When a client invites you to their QBO file as an Accountant, you gain access through QuickBooks Online Accountant rather than through the client's Manage Users panel directly. Your access level is pre-set at a high administrative tier appropriate for bookkeeping and tax review work, but the client retains control and can revoke your access at any time. This model protects clients while giving accountants the broad access they need to do their work effectively and efficiently.
The Sales and Customers permission area controls whether a user can create estimates, invoices, sales receipts, credit memos, and customer records. You can grant full access โ allowing the user to create, edit, delete, and void all sales transactions โ or limit them to view-only access, which lets them see customer balances and transaction history without making any changes. For sales staff who primarily need to enter new invoices and check payment status, a limited create-and-view permission set is usually the right balance.
One nuance in the sales permission area is that access to customer contact information is tied to this toggle. If a user has sales access turned off, they generally cannot view the Customers list or pull up individual customer profiles. This can affect users who work in customer service roles and need to look up contact details but should not be creating or editing financial transactions. In those cases, a Reports Only user role may be a better fit than a Standard User with restricted sales access.
The Purchases and Vendors permission area governs access to bills, purchase orders, vendor credits, check writing, and the vendor list itself. Granting this permission allows a user to enter bills from vendors, mark bills as paid, and manage vendor records including bank account details for ACH payments. Because this area touches outgoing cash flow directly, it carries meaningful fraud risk if assigned carelessly. Separating the ability to enter bills from the ability to approve and pay them is a foundational internal control that QBO permissions support through careful role assignment.
When a user has expense access, they can also see the 1099 eligibility settings on vendor records if Sensitive Accounting Activities is also enabled. For businesses that file 1099-NEC forms for contractors, this is an area where permission overlap can create compliance risk. Limit 1099 management to accountants or administrators who understand the tax implications of marking a vendor as a 1099 contractor incorrectly. The majority of expense-entry staff do not need access to this setting and should have it restricted through the Sensitive Accounting Activities toggle.
The Banking and Credit Cards permission area is among the most sensitive in QBO. Users with this access can connect bank feeds, match transactions, create bank rules, and initiate transfers between accounts. In QuickBooks Online Plus and Advanced, this area also intersects with the ability to run bank reconciliations. Restricting banking access to only the bookkeeper or administrator responsible for reconciliation prevents other staff from accidentally accepting incorrect matches or creating bank rules that misclassify transactions going forward.
Sensitive Accounting Activities is a cross-cutting permission that amplifies the risk of every other access area. A standard user with sales access but without Sensitive Accounting Activities cannot void an invoice โ they can only mark it as sent or paid. Add Sensitive Accounting Activities and suddenly that same user can void historical transactions, access journal entries, and modify the chart of accounts. Reserve this toggle for accountants, bookkeepers, and administrators only. Training all users on why certain permissions exist helps build a culture of data stewardship that reduces both accidental and intentional misuse.
Giving every user only the access they need to do their specific job โ and nothing more โ is called the principle of least privilege. In QuickBooks Online, this means most employees should be Standard Users with limited, customized access rather than Company Administrators. A sales rep needs invoice creation access, not bank reconciliation or chart-of-accounts editing. Applying least privilege from day one dramatically reduces both accidental data corruption and deliberate fraud risk.
Common permission mistakes in QuickBooks Online tend to fall into two categories: over-granting access out of convenience and under-maintaining permissions as roles evolve. Over-granting is the more dangerous of the two. When a new employee joins and needs QBO access quickly, the path of least resistance is to click Company Administrator and move on. But this gives that person complete control over your financial data, including the ability to delete transactions, modify bank connections, and change other users' access levels. The five extra minutes it takes to configure a properly scoped Standard User account is time very well spent.
Under-maintaining permissions happens when employees change roles but their QBO access doesn't change with them. A bookkeeper who is promoted to a managerial position may no longer need hands-on transaction entry access, but their original permissions remain active unless an administrator manually updates them. Conversely, a new manager may need access to financial reports they didn't require in their previous role. Without a periodic access review process โ ideally quarterly โ permission drift accumulates and you end up with a user list that no longer reflects actual job functions or organizational structure.
Another frequent mistake involves the accountant user slot. Many small businesses are unaware that QBO provides two dedicated accountant user seats at no additional cost. These seats are specifically designed for outside accountants and bookkeepers and grant a level of access appropriate for financial review and cleanup work. When business owners invite their accountant as a Company Administrator instead of using the Accountant user type, they miss out on the cleaner separation that the dedicated role provides. They also fill a standard user seat unnecessarily, which can matter on subscription plans with user-count limitations.
Payroll permission mistakes carry especially high stakes. Because QBO's payroll module stores Social Security numbers, direct deposit bank account details, and salary information, improper access to this data can create serious privacy and compliance exposure. Under employment law and data protection regulations, businesses have an obligation to limit access to employee personal information on a need-to-know basis. Routinely auditing who has payroll access enabled in QBO โ and removing it from anyone who doesn't actively manage payroll โ is a compliance best practice that also reduces identity theft risk significantly.
A subtler mistake involves the Sensitive Accounting Activities toggle and its effect on historical data. Many administrators enable this setting for standard users because those users need to create journal entries for specific adjusting entries or accruals. But they don't realize this same toggle also grants the ability to void and delete previously reconciled transactions.
A user who voids a cleared check from last quarter can throw off an already-completed bank reconciliation without any automatic warning from QBO. The right solution is usually to assign journal entry work to a dedicated accountant user rather than enabling sensitive access for standard users.
Permission documentation is an overlooked but important part of QBO administration. Many businesses configure permissions carefully but never write down what each user can access or why. When questions arise โ during an audit, after a data discrepancy, or when the administrator leaves โ there's no record of the intended permission structure. A simple spreadsheet listing each user's name, user type, enabled access areas, and the date permissions were last reviewed can save enormous time during any investigation or transition. Some ProAdvisors include permission documentation as part of their standard client onboarding deliverable.
Finally, many QBO administrators forget to review the invited-but-not-accepted user list. When you send a QBO invitation to a new user and they never click the acceptance link, their invitation sits in a pending state indefinitely. These pending invitations don't grant active access, but they do represent a dangling credential that could be accepted at any future time โ even after the person's employment has ended.
Periodically review your Manage Users list and revoke any invitations that have been pending for more than two weeks. Re-invite if the access is still needed; otherwise clear the invitation to keep your user list clean and controlled.
QuickBooks Online user permissions are a recurring topic on the Certified QuickBooks ProAdvisor exam, and understanding this subject deeply gives you an edge in both the certification and real-world client work. The ProAdvisor exam tests not just your ability to recite user type names but your ability to apply permission concepts to realistic business scenarios.
You might be presented with a case where a client's bookkeeper accidentally voided a reconciled transaction and asked which permission setting would have prevented the issue โ the answer being Sensitive Accounting Activities. These scenario-based questions reward candidates who have internalized the why behind each permission, not just the what.
The exam also tests your knowledge of the Accountant user role specifically, including how it differs from a Company Administrator and what unique capabilities it provides. Accountant users in QBO can access the Accountant Toolbox โ a set of functions including Reclassify Transactions, Write Off Invoices, and the Period Copy feature โ that are not available to any other user type.
These tools are designed for end-of-period cleanup and tax preparation work. Knowing that these tools exist exclusively for Accountant users, and being able to explain why they're restricted, demonstrates the kind of platform expertise the ProAdvisor credential is designed to validate.
ProAdvisors working with multiple clients should also understand how user permission management scales across the QuickBooks Online Accountant (QBOA) platform. When you log in to QBOA, you see your entire client list from a single dashboard. Each client file you access through QBOA uses your Accountant user seat in their file rather than a standard seat.
This means your ProAdvisor access does not count against the client's user limit, and it keeps your credentials cleanly separated from their internal team members. Managing this distinction correctly โ and explaining it to clients who may be confused about how many users they have โ is a practical ProAdvisor skill that comes up frequently in client onboarding conversations.
From a study perspective, the most effective way to prepare for permission-related exam questions is to practice in a real QBO environment. Intuit offers a free test-drive company file that lets you explore the interface without risking any real data. Use it to navigate to Manage Users, experiment with adding different user types, and observe how the permission wizard changes based on the user type you select. Hands-on exploration builds the muscle memory that helps you answer scenario questions faster and more accurately than passive reading alone.
Time management matters on the ProAdvisor exam, and permission questions are among the faster ones to answer if you know the material well. Each user type has a clear, distinct profile: Primary Admin controls everything, Company Admin controls everything except billing, Standard User is customizable, Accountant gets the Toolbox, Reports Only gets read access, and Time Tracking Only gets timesheets. Drilling these distinctions with practice questions until they feel automatic means you won't be burning time on them during the real exam and can redirect that time to harder questions in payroll or advanced accounting.
Beyond the exam, mastering QBO user permissions delivers ongoing professional value. Clients frequently ask ProAdvisors to set up their QBO file for a new hire, review whether their current permissions make sense, or help them respond to an audit that included questions about financial data access controls. A ProAdvisor who can quickly assess a client's user list, identify permission gaps or over-grants, and implement best-practice access controls is providing a service with real risk-reduction value โ the kind of value that justifies advisory fees rather than just hourly bookkeeping rates.
The investment you make in learning QBO user permissions thoroughly pays off across every client relationship and every exam question that touches access, security, or internal controls. As QuickBooks Online continues to expand its user management features โ including forthcoming improvements to permission audit trails and role templates โ the ProAdvisors who already have a strong conceptual foundation will adapt quickly while others are still catching up. Start with the fundamentals covered in this guide, reinforce them with hands-on practice, and use the quiz resources here to test your knowledge before sitting for the certification.
Putting QBO user permissions knowledge into daily practice requires building a few simple habits that keep your client files secure and your user lists current. The most impactful habit is the quarterly access review โ a ten-minute exercise where you open the Manage Users panel for each active client file and verify that every user's name, role, and permission set still matches their current job function. Staff changes more frequently than most administrators remember, and a quarterly review catches drift before it becomes a problem. Mark it on your calendar like any other recurring accounting task.
When onboarding a new client, make user permissions part of your initial discovery conversation. Ask the client to describe who currently has QBO access, what each person does with it, and whether they've ever had a situation where someone accidentally changed or deleted something important.
These questions often surface existing permission problems the client didn't realize were problems โ an admin login shared among three staff members, a departed employee's account still active, or the owner's spouse listed as a Company Administrator because they once needed to check a report. Your assessment adds immediate value even before you touch a transaction.
For clients with five or more QBO users, consider creating a simple permission matrix document โ a one-page table listing each user, their type, the date their access was set up, and which permission areas are enabled. Share this with your client as part of your annual review or QuickBooks health check.
Not only does this give the client visibility into their own security posture, it positions you as a proactive advisor rather than a reactive fixer. Clients who receive this kind of proactive guidance are more likely to retain you year over year and to refer others to your practice.
When training client staff on QBO, spend a few minutes explaining the permission boundaries each person operates within. A sales associate who understands they cannot void an invoice โ and why โ is less likely to feel frustrated when they try and are blocked. They're also less likely to ask an administrator to give them broader access just because a task came up once. Helping clients understand the business reason for permission restrictions builds buy-in and reduces access-creep over time, keeping your carefully configured permission structure intact as the team grows.
For clients in regulated industries โ healthcare, financial services, legal, nonprofits receiving federal grants โ user permissions are not just a best practice but a compliance requirement. These clients may need you to document their QBO permission structure for auditors, provide evidence of access controls as part of a SOC 2 review, or demonstrate that payroll data access is limited to specific named individuals. Build this documentation into your engagement scope for regulated clients and charge accordingly โ the work has real compliance value that extends well beyond routine bookkeeping.
Finally, stay current with Intuit's product updates as they relate to user management. QuickBooks Online releases product updates on a rolling basis, and features like custom roles, enhanced permission reporting, and manager-level approval workflows have been on the Intuit roadmap. Following the QuickBooks Blog, attending ProAdvisor training webinars, and participating in the QuickBooks Community forum keeps you ahead of changes that affect how you advise clients. The ProAdvisors who stay current with platform evolution consistently outperform those who rely on knowledge they acquired at certification time and never updated.
Ultimately, QBO user permissions is a topic where knowledge compounds. Each client engagement teaches you something new about how businesses structure their financial teams, where the biggest access risks tend to emerge, and how to configure permissions that hold up under real-world pressure. The patterns you learn with your second client make you faster and smarter with your third. By the time you're advising your tenth or twentieth client on their QBO setup, user permissions will feel intuitive โ and that expertise shows in the quality and efficiency of your work in ways clients notice and value deeply.