KW Knowledge base

User Roles & Permissions

Explanation of all user roles (SUPER_ADMIN, ADMIN, MANAGER, AGENT, CUSTOMER) and what each can access.

Mitch Wigham
Updated 14 July 2026 · 34 views

Role Overview

The platform uses role-based access control (RBAC) with six built-in roles. Every user is assigned exactly one role within each organisation they belong to.

Role Description
SUPER_ADMIN Full platform access including licence management, organisation settings, and all admin functions. Typically the platform operator.
ADMIN Full access within their organisation: user management, billing settings, helpdesk configuration, and all module admin. Cannot access licence server.
MANAGER Can manage team members, view all tickets and projects, approve leave requests, and access reports. Cannot change org-level settings.
AGENT Day-to-day operations: create and work tickets, manage contacts, run KB articles. Cannot manage users or change settings.
CUSTOMER Read-only access scoped to their own tickets and documents. No access to internal notes, admin areas, or other customers' data.
VENDOR External contractor / vendor account. Sees only the projects and tickets the platform has explicitly linked to them via the dedicated Vendor portal.

Detailed Permissions by Module

Helpdesk

  • SUPER_ADMIN / ADMIN: Create/edit/delete ticket types, SLA policies, rules, macros, contracts. View all tickets across all agents.
  • MANAGER: View all tickets, reassign, change priority and type. Access to all queue views.
  • AGENT: View tickets in their queue and unassigned. Create, update, and comment on tickets. Log time.
  • CUSTOMER: View only their own submitted tickets and public replies. Cannot see internal notes.

CRM

  • ADMIN / MANAGER: Full CRUD on contacts, customers, deals. Assign deal owners.
  • AGENT: Create and edit contacts and customers. View all deals. Cannot delete.
  • CUSTOMER: No CRM access.

HR

  • ADMIN: Full access to all employee records including salary, payroll, and performance reviews.
  • MANAGER: View department employees. Approve/reject leave requests. Cannot see salary.
  • AGENT: View their own employee profile. Submit leave requests.

Projects

  • ADMIN / MANAGER: Create, edit, archive projects. Manage team members.
  • AGENT: View assigned projects. Create and complete tasks.
  • CUSTOMER: View projects shared with them via a share link.

RMM / Assets

  • ADMIN / MANAGER: Full device management, alert configuration, script execution.
  • AGENT: View devices and alerts. Acknowledge alerts. Cannot run scripts without explicit grant.
  • CUSTOMER: No access unless explicitly shared.

Admin Functions

Only SUPER_ADMIN and ADMIN can access the /admin section of the portal, which covers: user management, organisation settings, email configuration, branding, billing, licence management, and audit logs.

Vendor Portal

VENDOR users do not use the standard portal at all. They sign in at /vendor-login and land on a stripped-down Vendor portal scoped to their assignments — projects they've been added to as a team member, tickets linked to those projects, and a timesheet for logging their own hours. Vendors cannot see other tenants' data, internal staff notes, or anything they have not been explicitly granted.

Tenant Membership

A user can belong to multiple organisations. Each membership has its own role — you might be ADMIN in your primary organisation and AGENT in a partner organisation. The active role is shown in the tenant switcher.

Members of the admin tenancy (the organisation flagged isAdminTenant = true) automatically get shadow membership in every new tenant, allowing them to switch in and assist without appearing in the customer's user list.

Still need help?

Log a support ticket and the team will pick it up from this page.