QuickBooks Online Advanced · Feature
QuickBooks Online Advanced custom user roles: what they do & how to set them up well.
Custom user roles are an Advanced-tier capability in QuickBooks Online: instead of the limited preset roles the lower tiers offer, you define granular permissions so each user sees and does only what their role actually needs. The point is control — least-privilege access, especially around banking, payroll, and vendor payments, and segregation of duties so the person who enters bills isn’t the one who pays them. Below: what the feature does, how to design roles and permissions well, and when a ProAdvisor should build the roles for you. Requires the Advanced tier. Independent firm, not affiliated with Intuit Inc.
QuickBooks Online Advanced custom user roles let you define your own roles with fine-grained permissions, so each user can view and do only what their job requires — rather than the broad, fixed preset roles the lower tiers offer. You build a role as a named bundle of permissions across areas like banking, expenses, sales, payroll, and reports, then assign it to one or more users. Done well, roles enforce two internal controls: least-privilege, where each user gets the minimum access their work needs (especially for banking, payroll, and vendor payments), and segregation of duties, where the person who enters bills isn’t the same person who pays them. Custom roles require the Advanced tier, and they control who can do what — they don’t replace the reconciliation and review that confirm the books are actually correct.
Reference maintained by the Certified QuickBooks ProAdvisor team at TechBrot Inc., an independent firm — not Intuit, and not Intuit’s official software support. Not affiliated with Intuit Inc.
QuickBooks Online Advanced custom user roles, in five questions.
What do QuickBooks Online Advanced custom user roles do?
They let you define granular roles with fine-grained permissions, so each user sees and does only what their job needs — for example, a clerk who can enter bills but not pay them, or a reviewer who can see reports but not edit transactions. Custom roles are a capability of the Advanced tier; lower tiers offer only a small set of fixed preset roles.
How are custom roles different from the preset roles in lower tiers?
Lower QuickBooks Online tiers give you a handful of preset roles — broad buckets like standard user or reports-only — that you can’t reshape. Advanced adds custom roles: you choose specific permissions for areas like banking, expenses, sales, payroll, and reports, then assign the role to a user. The point is to fit access to the actual job instead of forcing it into a preset.
What is least-privilege access in QuickBooks Online?
Least-privilege means giving each user the minimum access their role actually requires, and nothing more — especially for sensitive areas like banking, payroll, and vendor payments. Custom roles in Advanced make this practical: instead of granting broad access because it’s easier, you build a role that grants only what the person needs to do their work, which limits both mistakes and the blast radius if an account is compromised.
What is segregation of duties, and can QuickBooks enforce it?
Segregation of duties is an internal control where no single person handles a whole sensitive process end to end — classically, the person who enters bills isn’t the same person who pays them. Advanced custom roles let you design permissions that separate those duties so the control is built into who-can-do-what, rather than relying on everyone behaving. It reduces both error and the opportunity for fraud.
Do I need an accountant to set up custom user roles?
Not for a tiny team with one or two users. A Certified ProAdvisor earns their fee when you have several users, sensitive functions like payroll or vendor payments, or a need to prove segregation of duties — designing roles that enforce the control cleanly takes judgment. We configure roles inside your own QuickBooks file; an independent firm can’t touch your Intuit account or login.
What QuickBooks Online Advanced custom user roles are, plainly.
A custom user role is a named bundle of permissions you define in QuickBooks Online Advanced — a set of choices about what a user holding that role can view, create, edit, or delete across areas like banking, expenses, sales, payroll, inventory, and reports. You build the role once and assign it to one or more users. This is the Advanced tier’s answer to a real limitation of the lower tiers, which offer only a handful of fixed preset roles you can assign but not reshape.
The value is granularity. Instead of fitting a person into a broad preset, you tailor access to the actual job: a clerk who can enter bills but not pay them, a reviewer who can read reports but not edit the transactions behind them, a salesperson who can raise invoices but never touch payroll. Two internal controls fall out of doing this deliberately. Least-privilege means each user gets the minimum access their work requires and nothing more — especially for sensitive areas like banking, payroll, and vendor payments. Segregation of duties means no one person runs a sensitive process end to end — classically, the person who enters bills isn’t the one who pays them.
Custom roles are a strong control, but it’s worth being precise about what they are not. They govern who can do what; they don’t, on their own, prove the books are right or catch a problem after it happens. You still reconcile, review, and watch for anomalies. We describe QuickBooks Online Advanced’s behavior as it actually works — we don’t claim capabilities the feature doesn’t have, and which plan includes what is a detail to confirm with Intuit.
What QuickBooks Online Advanced custom user roles do.
The moving parts of the capability, in the order you meet them — from the tier requirement through the controls that make roles worth designing carefully.
Part 01 · Custom roles are an Advanced-tier capability
Defining your own roles with granular permissions is a feature of QuickBooks Online Advanced. Lower tiers give you a limited set of fixed preset roles you can assign but not reshape. If you need access tailored to specific jobs — rather than the broad buckets a preset offers — that tailoring lives in Advanced. We describe what the tier actually does and don’t claim it for plans that don’t have it.
Part 02 · A role is a named bundle of permissions
A custom role is a named set of permissions — what a user holding that role can view, create, edit, or delete across areas like banking, expenses, sales, payroll, inventory, and reports. You build the role once, then assign it to one or more users. Because the permissions live on the role, you can change access for a whole class of users by editing the role instead of every person individually.
Part 03 · Permissions are granular, area by area
Custom roles let you grant access at the level of specific functions — for instance, allowing someone to enter and view expenses without giving them the ability to send payments, or to run reports without editing the transactions behind them. That granularity is the whole value: access fits the job. The trade-off is that a role built carelessly can grant far more than intended, which is why deliberate design matters.
Part 04 · Least-privilege keeps access tight
The principle that makes roles safe is least-privilege: give each user the minimum access their work requires and nothing more, especially around banking, payroll, and vendor payments. Broad access is easier to hand out and harder to undo — and every extra permission is something that can be misused or mistakenly changed. A least-privilege role grants narrowly on purpose.
Part 05 · Segregation of duties is a built-in control
Roles let you separate sensitive duties so no one person controls a whole process. The classic example: the person who enters bills should not be the person who pays them. Building that split into the roles makes the internal control structural — it doesn’t depend on people remembering to behave — and it reduces both honest error and the opportunity for fraud.
The limit · What roles do not do: replace review
Custom roles control who can do what; they don’t, on their own, prove the books are right or catch a problem after it happens. Access controls reduce risk, but you still review the books, reconcile, and watch for anomalies. Treat roles as one internal control among several — powerful for limiting access, not a substitute for the oversight that confirms the work is accurate.
How to set up roles & permissions well.
Six steps, in order. The first three are design; the rest are the habits that keep access tight instead of letting it quietly drift.
Map who does what before you build
Before creating a single role, list each person and the tasks their job actually involves — entering bills, paying vendors, invoicing customers, running payroll, viewing reports. Roles should follow real responsibilities, not the org chart or convenience. This map is what turns role design from guesswork into a deliberate match between access and job.
Build roles to least-privilege
For each role, grant only the permissions the job requires and leave the rest off — particularly for banking, payroll, and vendor payments. It’s tempting to grant broadly so no one is ever blocked, but every extra permission is risk. Start narrow; you can always add a permission when a real need appears, which is far safer than clawing access back later.
Separate duties for sensitive processes
Design roles so the person who enters bills is not the one who pays them, and similar splits for any process where one person controlling the whole chain is a risk. This segregation of duties is a core internal control. Where the team is too small to split every duty, document the compensating review that fills the gap rather than ignoring it.
Assign roles to users and verify access
Assign each user the role that matches their job, then verify what they can actually see and do — ideally by checking from their perspective — rather than assuming the permissions landed as intended. A role that grants more than you meant is silent until something goes wrong; confirming access at assignment time is the cheapest place to catch it.
Review access on a schedule
Access drifts: people change jobs, take on new duties, or leave, and roles that fit a year ago may now grant too much. Review who has which role on a regular schedule — quarterly is reasonable for most firms — and remove access promptly when someone’s role changes or they depart. Stale access is one of the most common control weaknesses.
Treat roles as one control, not the only one
Roles limit who can do what, but they don’t confirm the work is correct. Keep reconciling, keep reviewing the books, and keep watching for anomalies. Well-designed roles make the other controls more effective by narrowing who can affect the numbers — they don’t replace the oversight that proves the books are true.
Want roles that enforce your controls, or drifted access reset?
A Certified ProAdvisor reviews the file free, then maps responsibilities, designs roles to least-privilege, and separates sensitive duties — a focused role design is typically a $1,200–$3,000 fixed-fee scope; cleanup runs $1,500–$15,000+ if the books are behind. Independent firm.
When a ProAdvisor should help.
Several users with mixed responsibilities
Once more than a couple of people touch the books — some entering transactions, some paying, some only viewing — designing roles that fit each job without granting too much takes judgment. Getting the roles right from the start is far cheaper than discovering, after the fact, that the bookkeeper could also send payments. It’s exactly what a ProAdvisor sets up cleanly.
Sensitive functions: payroll and vendor payments
Payroll and vendor payments are where loose access does the most damage. A ProAdvisor builds roles that keep those functions tight — least-privilege on the sensitive areas — and separates who can initiate a payment from who can approve or record it, so a single person can’t run a sensitive process end to end. That’s the heart of designing roles that enforce segregation of duties.
When you need to prove segregation of duties
If a lender, an auditor, an investor, or your own risk posture requires demonstrable internal controls, ad-hoc permissions won’t cut it. A ProAdvisor designs a role structure that enforces segregation of duties deliberately and documents it — so the control is real and defensible. If access has already drifted and the books show the strain, that’s a file review and a fixed-fee scope to reset both the roles and the books.
A Certified ProAdvisor designs the roles inside your own books.
Creating a role takes a minute; designing roles that actually enforce your controls is the real work. A Certified QuickBooks ProAdvisor maps who does what, builds each role to least-privilege, and separates sensitive duties — so the person entering bills isn’t the one paying them — then assigns roles and sets a review cadence so access doesn’t drift. Where access has already grown loose and the books show the strain, we reset both the roles and the file — against a written scope, inside your own QuickBooks Online file. Independent firm — not Intuit, and not Intuit’s software support; an Intuit account, login, or billing matter stays with Intuit.
Free
file review first — we look before we scope
$1,200–$3,000
typical fixed-fee scope to design roles and permissions
Independent
Certified ProAdvisor firm — not Intuit, not Intuit’s software support
What people ask about QuickBooks Online Advanced custom user roles.
Is this Intuit’s official QuickBooks support?
Do I need QuickBooks Online Advanced for custom user roles?
What is the difference between a preset role and a custom role?
What is least-privilege, and why does it matter for access?
How do custom roles help with segregation of duties?
How often should I review who has access?
Can you set up custom user roles in my QuickBooks Online file?
Will custom roles on their own keep my books accurate?
Want roles that actually enforce your controls, or access that’s drifted reset?
We design custom roles and permissions inside your own QuickBooks file.
Mapping who does what, building roles to least-privilege, and separating sensitive duties so the control is structural is operational internal-control work — what an independent ProAdvisor firm does inside your books. Start with a free file review; a focused role design is typically a $1,200–$3,000 fixed-fee scope, and if access has drifted and the books show the strain, a full cleanup runs $1,500–$15,000+. Written scope before any work begins.