Assigning Roles: Recommendations and Best Practices

Managing access on Ramp is all about balance: ensuring that employees have the permissions they need to do their work, while minimizing exposure to sensitive information and settings. This guide provides best practices for assigning roles.

Why role assignment matters

Best practices

  1. Limit Admins to 1–3 people in your organization. Admins are super users — over-assigning them increases compliance and security risk. Use Finance Admin, IT Admin, or View Only Admin for targeted control instead.
  2. Assign at least one Accounting role. Every organization should designate at least one Accounting role. Accounting roles manage reconciliation, exports, and syncing tasks that keep accounting accurate and up to date. Assigning this role ensures day-to-day accounting runs smoothly and provides coverage without exposing users to sensitive Admin or Finance Admin permissions.
  3. Start with the smallest role. Assign Employee by default. Add other roles only when responsibilities demand it.
  4. Assign additional roles where responsibilities overlap. Some users may need more than one role to cover their responsibilities. For example, a team member might have the Accounting role (to handle reconciliations), the Accounts Payable role (to manage Bill Pay), and the Manager role (to approve spend for their team). Assigning multiple roles allows you to combine permissions in a controlled way, rather than over-privileging with Admin.
  5. Rely on View Only Admin for oversight. Auditors, compliance officers, and certain executives typically need visibility, not edit rights. Use View Only Admin to grant oversight without introducing risk.
  6. Maintain separation of duties. Avoid role overlap that allows a single user to both create and approve payments. Clear separation strengthens internal controls and compliance. For (Plus) customers, use the duplicate role function to create two versions of an existing role (e.g. Accounts Payable or Accounting) with complementary sets of permissions.
  7. Leverage Managers for approvals. Managers streamline team-level approvals. Keep their scope narrow—avoid granting finance-wide permissions unless absolutely necessary.
  8. Use Guest for temporary spend needs. Guests are ideal for contractors, seasonal workers, or prospective employees who need short-term access to Ramp. The Guest role provides limited functionality—enough to participate in spend or reimbursement workflows—without granting broad visibility or administrative rights. You can also set a deactivation date when creating a Guest, ensuring access ends automatically when their engagement does.
  9. (Plus) Customize when needed. Where permissions are customizable, tailor them instead of assigning broad access.
  10. (Plus) Use custom roles for specialized needs. Not every user fits neatly into the standard role types. Custom roles let you tailor permissions to match unique responsibilities—such as a day-to-day admin who should be able to invite employees (but not users with advanced roles, such as Finance Admin) and approve fund limit increases. Leverage custom roles to grant exactly what’s needed, reduce over-permissioning, and support scalable governance as your organization grows.

Choosing which role to assign based on job needs

Assigning the right role starts with matching responsibilities to permissions. Use the guidance below to align each job function with the appropriate Ramp role.

Two tips:

  1. For most employees, start with employee and add additional roles. Some users may have up to 3 or 4 roles depending on access needs.
  2. (Plus) Most of the below roles can be duplicated and then customized. Use this functionality to enable separation of duties, or create a version of the role with limited capabilities and a version of a role with expanded capabilities.

Employee

Who it’s for: Standard team members who need to spend on Ramp.

What they can do: Request spend, submit reimbursements, receive cards, upload receipts, act as delegates.

(Plus) What can be customized: Physical card eligibility, Spend Program limits, delegation settings.

Manager

Who it’s for: Team leads who approve expenses and oversee spending activity for their direct and indirect reports.

What they can do: All Employee permissions, plus team approvals, limits, and visibility into missing items.

(Plus) What can be customized: Approval flows for team spend, ability to invite Employees/Managers, limits for individuals or groups.

Guest

Who it’s for: Contractors, seasonal employees, or prospective hires who need temporary access.

What they can do: Limited functionality such as requesting spend, submitting reimbursements or booking travel. Guest access can be set with a deactivation date to expire automatically.

What can be customized: Deactivation date, specific spend or reimbursement programs they can access.

Accounting

Who it’s for: External accountants, controllers-in-training, or BPO partners.

What they can do: Reconcile, export, and sync accounting data. Edit draft bills.

(Plus) What can be customized: Access to Bill Pay functions (draft creation, edits), accounting sync settings.

Accounts Payable

Who it’s for: Accounts payable staff responsible for bill entry and payment workflows.

What they can do: Create and edit draft bills, view bills and payment details, sync bills to ERP, and manage vendor information.

(Plus) What can be customized: Ability to create vs. approve bills, ability to edit bills, editing Bill Pay settings.

View only Admin

Who it’s for: Auditors (internal and/or external), compliance staff, or select executives.

What they can do: Read-only access all financial and user management products. No edit access.

(Plus) What can be customized: Visibility into treasury, billing statements and rewards.

Finance Admin

Who it’s for: Senior finance leaders (Controllers, VPs, CFOs).

What they can do: Manage all financial products and financial policies and settings.

(Plus) What can be customized: Expenses, Accounting, Bill Pay capabilities.

IT Admin

Who it’s for: IT and security teams.

What they can do: Manage SSO/SAML, user provisioning, user groups, integrations, and API access.

(Plus) What can be customized: What user management actions they can perform, whether they can manage the accounting integration, ability to view all company vendors.

Custom Role

Available on Ramp Plus. See Ramp Plus overview for plan details.

Who it’s for: Users with unique needs that don’t fit into the standard role structure.

What they can do: A tailored combination of permissions. For example, a "Card Manager" who can view all users and adjust card limit, but can not change expense policies.

**Best practice:**Use custom roles to reduce over-permissioning. Use the duplicate function for existing roles to create a custom role with an existing role template.

Admin (Ramp super users)

Who it’s for: Implementation owners and trusted operations leaders.

What they can do: Full platform control across Ramp—everything from user management to financial data access to managing financial policies.

This role cannot be customized, as it's a super user.

Best practice: Limit Admins to 1–3 trusted individuals. Use Finance Admin or IT Admin for narrower responsibilities, and View Only Admin for read-only access to all financial and user data.

Things to watch out for

  1. Making everyone an Admin. Admin is a super-user role with full platform access. Over-assigning Admin increases security and compliance risk. Use Finance Admin, IT Admin, or custom roles for targeted access instead.
  2. Not assigning managers. Without a manager in the reporting chain, users may be able to self-approve spend (depending on your policy settings). Ensure every user who needs oversight has a manager assigned.
  3. Giving the Accounting and Accounts Payable roles to the same person for Bill Pay. This can break separation of duties — the same person would be able to create bills and manage accounting for those bills. Consider splitting these roles across two users, or use custom roles to separate creation from approval.
  4. Not understanding that Finance Admin requires an Accounting base role. Finance Admin is an add-on role that must be paired with the Accounting role. If you assign Finance Admin to an Employee, the user will not receive the expected permissions. See the User Roles Overview for how base and add-on roles work together.
  5. Using Guest for users who need to request spend. Guests cannot request virtual cards, Spend Programs, or physical cards. If a user needs to actively request spend (not just use what is issued to them), they should be an Employee instead.