Role Overview
The platform uses role-based access control (RBAC) with six built-in roles. Every user is assigned exactly one role within each organisation they belong to.
| Role | Description |
|---|---|
| SUPER_ADMIN | Full platform access including licence management, organisation settings, and all admin functions. Typically the platform operator. |
| ADMIN | Full access within their organisation: user management, billing settings, helpdesk configuration, and all module admin. Cannot access licence server. |
| MANAGER | Can manage team members, view all tickets and projects, approve leave requests, and access reports. Cannot change org-level settings. |
| AGENT | Day-to-day operations: create and work tickets, manage contacts, run KB articles. Cannot manage users or change settings. |
| CUSTOMER | Read-only access scoped to their own tickets and documents. No access to internal notes, admin areas, or other customers' data. |
| VENDOR | External contractor / vendor account. Sees only the projects and tickets the platform has explicitly linked to them via the dedicated Vendor portal. |
Detailed Permissions by Module
Helpdesk
- SUPER_ADMIN / ADMIN: Create/edit/delete ticket types, SLA policies, rules, macros, contracts. View all tickets across all agents.
- MANAGER: View all tickets, reassign, change priority and type. Access to all queue views.
- AGENT: View tickets in their queue and unassigned. Create, update, and comment on tickets. Log time.
- CUSTOMER: View only their own submitted tickets and public replies. Cannot see internal notes.
CRM
- ADMIN / MANAGER: Full CRUD on contacts, customers, deals. Assign deal owners.
- AGENT: Create and edit contacts and customers. View all deals. Cannot delete.
- CUSTOMER: No CRM access.
HR
- ADMIN: Full access to all employee records including salary, payroll, and performance reviews.
- MANAGER: View department employees. Approve/reject leave requests. Cannot see salary.
- AGENT: View their own employee profile. Submit leave requests.
Projects
- ADMIN / MANAGER: Create, edit, archive projects. Manage team members.
- AGENT: View assigned projects. Create and complete tasks.
- CUSTOMER: View projects shared with them via a share link.
RMM / Assets
- ADMIN / MANAGER: Full device management, alert configuration, script execution.
- AGENT: View devices and alerts. Acknowledge alerts. Cannot run scripts without explicit grant.
- CUSTOMER: No access unless explicitly shared.
Admin Functions
Only SUPER_ADMIN and ADMIN can access the /admin section of the portal, which covers: user management, organisation settings, email configuration, branding, billing, licence management, and audit logs.
Vendor Portal
VENDOR users do not use the standard portal at all. They sign in at /vendor-login and land on a stripped-down Vendor portal scoped to their assignments — projects they've been added to as a team member, tickets linked to those projects, and a timesheet for logging their own hours. Vendors cannot see other tenants' data, internal staff notes, or anything they have not been explicitly granted.
Tenant Membership
A user can belong to multiple organisations. Each membership has its own role — you might be ADMIN in your primary organisation and AGENT in a partner organisation. The active role is shown in the tenant switcher.
Members of the admin tenancy (the organisation flagged isAdminTenant = true) automatically get shadow membership in every new tenant, allowing them to switch in and assist without appearing in the customer's user list.