Users & Permissions

Whilst the recent enforcement of 2FA (via email) is a welcome addition to the security of High-Level, email based 2FA is unfortunately one of the least secure 2FA methods. So, please add more 2FA options. Including at a minimum TOTP codes (a global standard) that people can use through whatever TOTP App they use. (E.g. Authy, Duo, Google Authenticator, Microsoft Authenticator etc). And at the same time, please: Allow an agency to select what 2FA options they will allow to be used across their clients. Allow Admins of a sub-account to also have this level of functionality to select what 2FA options users in their Sub-Account can use IF the Agency gives it to them.

Small business owners also employ people and provide salary to them. If we add the HR features such as employee timesheet tracking and payroll processing for team members in Go high level, then our platform will be even more appealing to small business owners who wants to use our platform.

Requesting a feature that allows an admin to temporarily view the system exactly as a specific user or role. This would streamline permission troubleshooting, confirm visibility settings, and remove the need for test accounts or manual permission switching.

I need a way to limit the number of employees that a sub-account owner can add to their account AND even prevent a sub-account owner from adding employees all together. I would also like the option to charge an incremental amount to the sub-account owner by how many employees they add. Even further, by including these settings in a snapshot, it would help automate the process of granting user permissions based on the SaaS plan or snapshot selected. By adding more granular control of 'User Permissions' within various sections and items under, this could be achieved. For example, the User Permissions for Settings could have sub settings to check on or off each of the items under each category. For example within Settings, we would have a toggle for each of the following items: MY BUSINESS Business Profile My Staff Pipelines BUSINESS SERVICES Calendars Phone Numbers Reputation Management Profile OTHER SETTINGS Custom Fields Custom Values Domains Media URL Redirects Integrations Email Services Conversation Providers Tags Labs Audit Logs

Description There is a critical platform vulnerability that allows user records, including Agency Admin accounts, to be overwritten with data from unrelated contacts or sub-account users. This includes overwriting authentication fields such as phone numbers used for MFA and 2FA. This can occur during imports, cross-scope updates, API activity, or system processes. Audit logs show the update as if the admin performed it, even when they did not. This leads to lockouts, loss of access, inaccurate audit attribution, and no safeguards to prevent the overwrite. Problem Summary An Agency Admin authentication phone number was replaced by a sub-account user’s number. The system allowed this with no conflict checks, duplicate detection, or permission validation. Audit logs incorrectly attributed the change to the admin. The admin was locked out due to 2FA failure. This shows that lower-scoped user data can overwrite higher-privileged accounts. Current safeguards only protect contact records, not user records. Why This Must Be Addressed Authentication fields for Agency Admins should not be changeable by imports, automation API activity, or sub-account processes. Overwriting the login phone or the login email is a security risk. Audit logs cannot currently distinguish between manual actions and automated system updates. This vulnerability can lock out administrators, corrupt user identity data, and undermine confidence in platform security. Agencies with multiple sub-accounts and frequent imports are most at risk. Proposed Solution Protect authentication fields, such as login email and MFA phone, so they cannot be overwritten by imports, automations, or API calls across scopes. Require explicit re-authentication when authentication fields are changed. Prevent sub-account user data from updating the agency-level user records. Improve audit logs to clearly distinguish manual actions, import automation, and system-generated updates. Add conflict detection and duplicate warnings for user-level data, similar to contact protections. Provide a setting allowing admins to lock authentication fields from automated updates. Impact Without This Feature Agency Admins can be locked out due to unauthorized MFA changes. Data integrity is compromised when lower-scoped records overwrite high-privilege accounts. Support teams cannot accurately determine the cause due to vague audit logs. Agencies cannot safely use import workflows or API integrations without risk. Overall trust in the platform security model is weakened. Summary HighLevel needs stronger security controls to prevent cross-scoped overwrites of user data, especially authentication fields for Agency Admins, Agency Owners, and other privileged roles. Authentication data should be protected, audit logs must clearly identify the true update source, and imports or system processes must never overwrite admin identity fields.

We want to be able to give our users access to certain fields and hide certain confidential fields from them. A great example would be, hiding a person's Social security number from Customer Support and showing it to a user that actually needs to know it. Many CRM's already offer this (Like Microsoft Dynamics 365), it's time GHL does the same, as it is curtail to maintain data security

Add Assigned Users as custom values. So we can say AssignedUserName, here from CompanyName.

I would like to request a new feature: the ability to freeze or temporarily suspend an agent’s user account. In certain situations, we need to hold, restrict, or freeze an agent’s access—especially during internal reviews, compliance checks, or team restructuring.

I have users on my account that need to have visibility of account/all opportunities but want them removed as Users to be able to assign opportunities to in the 'Users' dropdown on the Opportunities page/board