# Client Permissions

Permissions let you decide what each user can reach, view, and change. Cloud Voice gives you three independent controls that you can tailor per user: what appears in the Cloud Voice App interface, which other extensions a user can see, and whether a user can view or manage company contacts.

:::note
The three controls are separate and stack together. A user only sees and can change something when every control that applies to it allows it, so review all three when you are troubleshooting why a user cannot find a feature or a colleague.
:::

## Cloud Voice App menu and operation permissions

Out of the box, every user has full run of the Cloud Voice App: all menus are available and all settings can be edited. To narrow that down, you build permission rules covering two areas.

- **Menu Visibility Permission**: hides selected menus so users only see the parts of the app that apply to them.
- **Operation Permission**: locks down selected settings so users can open a menu but cannot change what it contains.

:::note
The two rules work at different levels. Menu Visibility removes a menu from view entirely, so the user never sees it. Operation Permission leaves the menu visible but read-only, so the user can look at the settings without editing them. Use Menu Visibility when a whole area does not apply to a user, and Operation Permission when they need to see a setting but should not change it.
:::

:::tip
Grant the least access a user needs to do their job. Start from a restrictive rule and open up individual menus or settings as requests come in, rather than giving broad access and clawing it back later.
:::

You define these menu and operation rules as part of setting up user permissions for the Cloud Voice App.

## Extension visibility permission

This controls which colleagues (extensions) a user can see in the directory, which is a different thing from the Menu Visibility above that controls which app features a user sees. By default a user can see every department, or the default extension group, in the Cloud Voice App. When you would rather keep parts of your directory private, set visibility rules that hide specific extensions, extension groups, or departments from chosen users.

:::note
What a user sees by default depends on whether organization management is enabled for the account. With it on, users see departments. With it off, users see the default extension group. This affects how your visibility rules are scoped, so confirm which mode the account uses before you build them.
:::

For the full procedure, see [Set up Extension Visibility](/pbx/administrator-guide/set-up-extension-visibility/).

## Contact visibility permission

Company contacts are hidden from everyone by default, no user can view them or manage them until you grant access. Use visibility rules to give specific users permission to view company contacts, manage them, or both.

:::caution
Manage permission is more than view. A user with manage access can add, edit, and remove entries in the shared company directory, and those changes are seen by everyone who can view company contacts. Grant manage access only to users you trust to maintain the shared directory.
:::

:::note
Personal contacts are private. Only the user who owns them can see them, regardless of any visibility rule you set.
:::

For the full procedure, see [Set up Contact Visibility](/pbx/administrator-guide/set-up-contact-visibility/).
