Short Summary: We need a customizable "Support Specialist" agency role that grants global access to all sub-accounts by default, but allows admins to selectively enable or disable specific Agency-level tabs per user. This role must also include strict account exclusions or warning popups for sensitive/PHI data, backed by a comprehensive QA change log. The Problem: As agencies scale, we hire support employees who need to "stay in their lane." Currently, GHL's permission structure fails us in two major ways: Data Exposure: To allow a support agent to see the global list of sub-accounts and jump in to help clients, we have to give them Agency-level access. However, this exposes highly sensitive agency-level information (billing, agency revenue, internal settings, marketplace purchases). Support employees should never see how the agency itself operates financially. "All-or-Nothing" Permissions: We cannot customize what an agent can see at the Agency level. We can't let them look at the Sub-Accounts tab while completely hiding the Billing or Marketplace tabs. Proposed Solution: Absolute Agency Isolation (By Default) The Support Specialist role must be completely blind to sensitive Agency-level data by default. They should not see Agency Billing, Agency Settings, Team Management, SaaS Configurator, or Marketplace, keeping their primary focus strictly on navigating and accessing sub-accounts. Granular, Per-User Agency Tab Toggles Within the Team Management settings, Admins should be able to toggle specific Agency-level tabs on or off per support user. For example, an admin can enable the "Sub-Accounts" tab so the agent can see the global list and jump into any account to solve a ticket, while keeping "Billing" and "SaaS Configurator" completely hidden. Selective Account Exclusions & HIPAA Safeguards To protect client privacy, admins need a way to manage access to sensitive accounts. We propose two options: Exclusion Toggle: A simple checklist to "Exclude Access" to specific sub-accounts from that agent's global list. HIPAA/PHI Gate: A mandatory confirmation pop-up that appears when an agent attempts to enter a designated sensitive account (e.g., "Warning: This is a HIPAA-compliant account containing PHI. Do you have authorization to enter?"), which is then tracked. Robust QA Audit Logs A dedicated agency-level change log tracking actions taken specifically by these support users. To protect the business and maintain Quality Assurance, admins must be able to see: Who made the change, when, in which sub-account, and what exact setting/workflow was modified. Why This Benefits the GHL Community: Internal Security: Prevents employee data-theft, accidental deletion of critical agency assets, and exposure of confidential agency financials. Operational Flexibility: Allows agency owners to safely hire support teams to manage high-volume ticketing across all accounts without giving away the keys to the kingdom. Compliance: Gives agencies the precise control and audit trails required to sign enterprise clients and maintain strict HIPAA compliance.