Roles & Permissions
Roles control access. Omniflow ships with four built-in roles that cover most teams; for fine-grained needs, you can build custom roles by mixing and matching individual permissions.
Built-in roles
| Role | Can do |
|---|---|
| Admin | Everything. Workspace settings, billing, integrations, members. |
| Supervisor | Manage their team, build training, review QA, see all conversations. |
| Agent | Handle conversations on their team, take training, see their own dashboards. |
| Trainee | Practice scenarios; can’t handle live conversations until promoted. |
You can clone any built-in role to use as a starting point for a custom role.
Permission categories
Permissions are grouped:
| Category | Examples |
|---|---|
| Conversations | Read, reply, transfer, resolve, delete. |
| Tickets | Create, edit, merge, delete. |
| Contacts | Read, edit, merge, export. |
| Agents (AI) | Read, edit prompt, publish, delete. |
| Training | Take, review, build, assign. |
| QA | View scorecards, override scores, build rubrics. |
| Settings | Read, edit (per tab). |
| Billing | View, pay, change plan. |
| Integrations | Read, connect, disconnect. |
| API | Use API keys, manage API keys. |
Each permission is a checkbox; roles are bundles of checkboxes.
Build a custom role
- Settings → Roles & Permissions → New role.
- Clone an existing role or start blank.
- Tick / untick permissions.
- Save.
Examples:
| Role | Notes |
|---|---|
| Read-only auditor | All read permissions, no edit. For compliance reviewers. |
| Trainer | Training full access, conversations read-only. For external coaches. |
| API consumer | API key management + read on conversations. For service accounts. |
| Billing-only admin | Billing edit, everything else hidden. For finance. |
Role changes apply on next login or after the affected user reloads. Sessions don’t update mid-stream.
Multi-team scoping
Permissions can be scoped per team:
- “Sarah is a supervisor on EMEA Tier 1 but a regular agent on EMEA Tier 2.”
- “Alex can override QA scores for the Billing team but not the Cards team.”
Per-team scopes layer on top of the global role and only grant additional access — they can’t take away from the role’s defaults.
Inheritance and least privilege
Best practices:
- Default to least privilege. Start people as Agent or Trainee; promote when needed.
- Audit roles quarterly. Roles tend to accumulate; trim unused custom roles.
- Use SCIM groups → role mapping if you have an IdP. → SSO & SCIM
Don’t grant Admin to service accounts. Use a custom role with the specific permissions the integration actually needs — usually API key management plus a read scope.
Audit log
Every permission and role change is logged with the actor, timestamp, and before/after diff. Export from Settings → Audit log.
Open in Omniflow
Related
| If you want to… | Go to |
|---|---|
| Map IdP groups to roles | SSO & SCIM |
| Use API keys | API Keys |
| See what people are doing | Reports & Trends |