CrewBase
Get started

Product guide

How CrewBase works.

Everything CrewBase does, in one place. Read it cover-to-cover or jump straight to the section you need.

On this page

What is CrewBase?

CrewBase is a multi-tenant SaaS that gives each company a branded employee portal. Employees use it to submit vacation, overtime, expense, document, and HR requests. Managers and admins approve them. Every action is timestamped and auditable.

Each company gets its own subdomain (e.g. acme.crewbase.app), its own logo and color, and its own employees, requests, and policies. Companies are completely isolated — one tenant's data is never visible to another.

Built for small businesses (5–150 employees). Not a full ERP. CrewBase focuses on the request → approval → audit workflow, with onboarding, policy acknowledgement, and case management built in.

Roles & permissions

Every user has exactly one role per company. Roles are hierarchical: higher roles inherit everything lower roles can do, plus more. This section walks through who each role represents in a real company, what they can and can't do, and how to assign roles when your team is small.

Hierarchy — each role inherits everything below it

  1. Owner

    Final say. Manages billing.

  2. Admin

    Day-to-day operator. HR + system config.

  3. Manager

    Approves their team's requests.

  4. Employee

    Submits requests. Default for everyone.

The four roles in detail

Owner

Highest authority · 1+ per company

The person (or people) ultimately accountable for the business. Owns the relationship with CrewBase as a vendor, controls billing, and has the final say on company-wide settings.

Who plays this role in your company

Tech startup (5–30 people)

The CEO or technical co-founder.

Restaurant / café

The proprietor — the person whose name is on the lease.

Marketing agency

The founder + maybe a partner. Not the account managers.

Family business

Whichever family member runs it day-to-day.

✓ Can

  • Everything an Admin can do
  • Configure branding (logo, color, subdomain)
  • Create and launch policy campaigns
  • Invite, remove, or change the role of any user including other Owners
  • Access every company-wide setting
  • Cancel the CrewBase subscription

✗ Can't

  • Read confidential workplace concerns submitted by themselves about themselves (the case engine still respects who-can-see-what)

Quick signal

If you're the one who'd field a phone call from CrewBase support about billing, you're the Owner.

Admin

Day-to-day operator · usually 1–3 per company

The person who actually runs HR + people operations. Configures the system, approves the tricky requests, manages employee records, runs onboarding / offboarding, sees confidential cases.

Who plays this role in your company

Tech startup

Head of People, or an Operations Manager wearing the HR hat.

Restaurant / café

The general manager. Often the same person as the Owner in a small shop.

Marketing agency

Office manager or operations lead.

Manufacturing / retail (50+ people)

HR Manager or HR Coordinator. Usually 1 per location.

✓ Can

  • Approve any request (including the second step of two-step flows like expense reimbursements)
  • Add, edit, deactivate employees and departments
  • Configure request types, workflows, and visibility rules
  • Kick off onboarding and offboarding workflows
  • Read & manage confidential workplace concerns
  • Export full request history to CSV

✗ Can't

  • Change billing or cancel the subscription
  • Edit company-wide branding without asking the Owner
  • Demote the Owner

Quick signal

If you're the person employees actually email when they need vacation approved, you're the Admin.

Manager

Approves their team's requests · scales with team count

Anyone with direct reports. Manages a team and approves the day-to-day requests their reports submit. Limited visibility — they only see their own team, not the rest of the company.

Who plays this role in your company

Tech startup

Engineering Manager, Design Lead, Sales Director.

Restaurant / café

Shift supervisor, kitchen manager, FOH lead.

Marketing agency

Account Director, Creative Director, Department Head.

Retail with multiple stores

Each store manager.

✓ Can

  • Approve, reject, or request more info on any request submitted by their direct reports
  • View their team's requests and full history
  • Comment on requests for context
  • Submit their own requests (which then go to their own manager / admin)

✗ Can't

  • See requests outside their team
  • Manage employees or departments
  • Configure request types or workflows
  • Read confidential workplace concerns (those go straight to Admin)

Quick signal

If their org-chart-children would email them asking for vacation today, they're a Manager in CrewBase.

Employee

Default for everyone else

Everyone with a job at the company who doesn't manage anyone. The role most of your team will have. Submits requests, signs policies, sees only their own data.

Who plays this role in your company

Any company

Individual contributors — engineers, baristas, designers, salespeople, accountants, drivers. Anyone without direct reports.

✓ Can

  • Submit requests of any type their company has enabled for them
  • View their own requests and history
  • Acknowledge policies their company has assigned to them
  • Submit confidential workplace concerns (visible only to Admin)
  • Edit their own profile

✗ Can't

  • See other employees' requests
  • Approve any request
  • View department-wide reports
  • Change company settings

Quick signal

If they answer to someone else and have nobody answering to them, they're an Employee.

Permissions matrix

At-a-glance view of who can do what:

CapabilityEmployeeManagerAdminOwner
Submit requests
View own request history
Acknowledge policies
Submit confidential workplace concern
Approve direct reports' requests
View their team's full history
Approve any company request
Manage employees + departments
Configure request types + workflows
Run onboarding / offboarding
Read confidential cases
Export reports to CSV
Launch policy campaigns
Configure branding + subdomain
Manage billing + subscription
Promote/demote other Owners

Real-world assignment patterns

How small businesses typically map their existing org to CrewBase roles:

3-person agency

Founder = Owner + does the Admin work themselves. The other two = Employees. No Managers needed.

Tip: When the team is small enough to fit in one room, you don't need approval routing — every request goes straight to the Owner.

10-person startup

1 Owner (CEO). 1 Admin (the operations or HR-doer). 1–2 Managers (engineering lead, sales lead). The rest = Employees.

Tip: If the CEO is the same person handling people-ops, they can be both Owner and the de-facto Admin — nobody else needs the Admin role.

30-person SaaS

1–2 Owners (founders). 1 Admin (Head of People). 4–6 Managers (one per team). The rest = Employees.

Tip: This is the sweet spot for CrewBase — clear hierarchy, dedicated HR person, real two-step approvals on expenses.

75-person retail / restaurant chain

1 Owner (proprietor). 1–2 Admins (HR + ops). Each location's General Manager = Manager. Hourly + salaried staff = Employees.

Tip: Per-location Managers only see their store's requests. Admins see everything across locations.

Common questions

Can a person have more than one role?

No — exactly one role per company. But roles inherit, so an Owner can do everything an Admin can, an Admin can do everything a Manager can, etc. There's no need to give someone multiple roles.

Can an Owner submit their own vacation request?

Yes. Owners are still employees of the company. Their requests route through Admin (since there's nobody above them). You can also assign the Owner an explicit manager if you want their requests to go to a specific person first.

What if my company has just 3 people?

Use Owner + Employees. Skip Admin and Manager. Every request goes straight to the Owner for approval. When you grow past ~10 people, designate someone as Admin so the Owner stops being the bottleneck.

Can I change someone's role later?

Yes. Admins and Owners can change anyone's role at any time from /admin/employees. The change is audited. Useful when someone gets promoted to manager, or when you hire a dedicated HR person who takes over from the Owner.

Does a Manager see other Managers' team requests?

No — each Manager only sees the requests of their own direct reports. To see requests across the whole company, you need Admin or Owner.

Who reads confidential workplace concerns?

Only Admins and Owners. Managers can't see them, even for their own team — that's the point of the case engine. Email subjects are sanitized so the case category never lands in Manager inboxes.

Can an external contractor be an Employee?

Yes. The Employee role doesn't imply employment status. Set their employmentType to CONTRACTOR on the employee record — they'll have the same permissions as a regular Employee, but reports can filter by employment type.

Request types

CrewBase ships with 16 built-in types: 13 standard approval-flow types (below) plus three specialized engines for onboarding, offboarding, and confidential workplace concerns. Admins can disable any of them, or restrict who can see each one (by role, department, or specific employees).

Vacation

Time off — full or half days

Overtime

Multi-session entries with auto-totaled hours

Expense

Receipt upload + amount + reason

Document

Letter / contract / certificate request

HR

Open-ended HR question with manager + admin route

Sick leave

Same-day or back-dated, with optional doctor's note

WFH

Work-from-home request, by date range

Attendance correction

Fix clock-in/out errors

Schedule change

Shift swap or schedule update

Payroll inquiry

Question about a paycheck or deduction

Update info

Change personal/contact info

Equipment / access

Hardware, software license, building access

Resignation

Triggers offboarding workflow on approval

Plus three workflow-driven types: Workplace concern (Case engine), Onboarding and Offboarding (Checklist engine). These behave differently — see The four engines.

For deeper dives into specific workflows, we have detail pages for managing leave and time off, pre-approving overtime, expense reimbursements, and a branded HR request portal that ties them together.

Approval workflows

Each request type pins a default workflow. Admins can change it per request type. CrewBase supports three patterns:

Manager

Manager-only

Submitter's direct manager approves. Default for vacation, sick, WFH.

Admin

Admin-only

Routed straight to admin. Default for HR, payroll inquiries, document requests.

Manager → Admin

Two-step

Manager approves first, then admin signs off. Default for expenses, equipment, overtime over a threshold.

Approval flows show the actual approver name (e.g. "Pending: Olivia Owner") — not just the role. When a manager isn't set on an employee, the request falls back to admins + owners automatically.

The four engines

Most requests use the standard approval engine. Three other engines power specialized flows:

Approval

Submit → Pending → Approved / Rejected / More info

The default. Used by vacation, expense, overtime, and most other types. Two-step variants supported.

  • Manager and/or admin sign-off
  • Comments thread per request
  • Attachment uploads
  • Auto-emails on submit, decide, comment

Checklist (Onboarding & Offboarding)

Pending → In progress → Completed (auto)

Used for new-hire onboarding and exit offboarding. A checklist of tasks per role section (Admin / Manager / IT / Employee), each with its own permission to edit.

  • 26-task default onboarding template
  • 19-task default offboarding template
  • Auto-closes when every task is COMPLETED or SKIPPED
  • Onboarding pre-creates an Employee record in INACTIVE state

More on this: onboarding checklists for small business

Case (Workplace concerns)

Received → Under review → Resolved

Confidential HR case management. Submissions are hidden from manager team views and from non-admin viewers entirely.

  • Confidential by design — admins only
  • Email subjects are sanitized so allegation text never lands in inboxes
  • Case-style status labels swap in (no "Pending admin" jargon)
  • Submitter sees only their own case

Campaign (Policy acknowledgements)

Draft → Active → Completed (auto)

Push policies and handbooks to the right people and capture digital signatures. Separate from the request system.

  • Scope-based recipients (all / roles / departments / specific people)
  • Captures IP + user-agent + typed-name signature
  • Auto-flips to COMPLETED when every recipient acks
  • Employee inbox at /policies

More on this: policy acknowledgement software with proof

Visibility controls

Each request type has a visibility setting that controls who can submit it. Five modes:

All employees

Everyone with access to the portal can see and submit.

Specific roles

Only Managers, only Admins, etc.

Specific departments

Engineering only, Sales only, etc.

Specific employees

Hand-picked individuals (with their position visible in the picker).

Disabled

Hidden from everyone. The type still exists; nobody can submit it.

Owners and Admins always retain access, regardless of the visibility setting — so admins can still test or troubleshoot.

Audit trail & reports

Every submission, decision, status change, comment, and edit is logged with a timestamp and the actor's identity. Nothing is silently mutated.

  • Who submitted what, and when
  • Who approved or rejected, with optional notes
  • Every comment, in order
  • Edits to draft requests
  • Onboarding task completions per role section
  • Policy acknowledgement signatures (with IP + user-agent)

Admins can export the full request history to CSV from /portal/reports. The export includes all visible fields plus decision metadata.

If you're replacing an informal process — chat threads, paper forms, or a dying spreadsheet — the audit trail is the biggest single upgrade. We have writeups on moving away from WhatsApp approvals and replacing a vacation spreadsheet that walk through the migration.

Brand your portal

The portal employees see is yours, not ours. CrewBase branding doesn't appear on tenant pages. Configure under Settings → Branding:

  • Logo: upload a PNG/SVG (or fall back to a colored letter mark).
  • Color: any HSL value — used on the brand square, primary buttons, and accent strokes.
  • Subdomain: pick a slug (e.g. acme) which becomes acme.crewbase.app. Custom domains are available on Enterprise plans.
  • Login message: shown under the logo on the login page (e.g. "Welcome to the Acme team portal.").
  • Support contact: a free-form line at the bottom of the login page.

Multi-tenant model

CrewBase is multi-tenant by subdomain. Each company has a unique subdomain and is fully isolated. Tenant data is scoped at the database level by companyId on every record.

  • Marketing site lives at the root domain (e.g. crewbase.app).
  • Tenant portals live at {slug}.crewbase.app.
  • Super-admin platform lives at admin.crewbase.app (CrewBase staff only).

Cross-tenant access is impossible — even by URL probing. Tenant-scoped queries always include companyId; capability gates fail closed.

Security & data

Authentication

  • Argon2id password hashing (NIST-recommended)
  • Auth.js v5 with JWT sessions
  • Session cookies are HTTP-only + Secure

Tenant isolation

  • All queries scoped by companyId at the database level
  • Capability checks fail closed (deny by default)
  • Suspended tenants are blocked at the session layer

Auditability

  • Every action timestamped and attributed
  • Confidential cases hidden from non-admins
  • Email subjects sanitized for confidential content

Data location

  • PostgreSQL hosted in the US (us-east)
  • Daily automated backups with point-in-time restore
  • GDPR-friendly export on request

Ready to set up your portal?

Five minutes to your branded subdomain — your team can be submitting requests today.

Get started See the demo