Roles & permissions (RBAC)
Promptly uses role-based access control. Every member of your workspace is assigned a role, and that role determines which parts of the dashboard and which API actions they can use. Permissions are enforced on the server by authorization policies — hiding a button in the UI is never the only line of defense, so a user cannot bypass a restriction by calling the API directly.
The roles
| Role | What they can do |
|---|---|
| Owner | Full access: billing, plan changes, tenant settings, knowledge base, catalog, analytics, team management, the Inbox, and the audit log. |
| Admin | Everything an Owner can do operationally — settings, knowledge, catalog, analytics, team, Inbox, audit log. |
| Agent | Works the human-handoff Inbox only: claim, resolve, and reassign escalated conversations and reply to customers in real time. Agents cannot access billing, tenant settings, the catalog, or analytics. |
| Viewer | Read-only access. A Viewer cannot claim or reply to escalated conversations. |
🖼️ [Image] — The Team page showing members with a role dropdown next to each one.
How permissions are enforced
When a user signs in, their role is embedded in their session token. Each protected endpoint requires a specific policy:
- Tenant admin actions (settings, billing, configuration) require Owner or Admin.
- Escalation actions (claim / resolve / reassign / reply) require Owner, Admin, or Agent. Viewer is explicitly excluded.
- The audit log is restricted to Owner and Admin — Agents do not see the full audit trail.
Tokens are also revocable. Changing a password, resetting from the admin side, deactivating a user, or using "log out all devices" invalidates that user's existing tokens immediately, so a stolen or stale session stops working even before it would normally expire.
Choosing roles
Give human support staff the Agent role so they can work conversations without touching billing or configuration. Reserve Owner/Admin for people who manage the account, and use Viewer for stakeholders who only need to look.
You assign and change roles on the Team page — see Team & roles.