Skip to content

Permission catalog

Permissions are fine-grained capabilities stored on roles. System Admin has full access (*). Other roles list specific keys.

You do not need to memorize this page. Use it when you extend a role and wonder what a checkbox means, or when someone asks “why can’t I see Billing?”

For a shorter overview, see Permissions. For assigning roles, see Users & roles.

Screenshot needed
Custom role editor with permission checkboxes grouped by module.
Where: Manage users / roles → edit role
Save as: src/assets/screenshots/42-permission-catalog-ui.png
IdeaMeaning
Permission keyStable string such as projects.read
RoleNamed bundle of keys (Admin, Agent, Supervisor, or custom)
*Grants everything — reserved for system Admin
Missing keyUI hides or blocks the action; API returns 403

Permissions are organization-wide capabilities. They do not replace project membership rules where those exist, and they do not bypass plan limits.

PermissionAllowsWhen you need it
projects.readView projects and open project workspacesAlmost everyone who works in CXGear
projects.writeCreate and edit projectsAdmins and campaign owners

Without projects.read, the product is largely empty. Without projects.write, users can operate inside existing projects (if other permissions allow) but cannot create new ones.

PermissionAllowsWhen you need it
spinners.readView spinner definitionsSupervisors reviewing pipelines
spinners.writeCreate and edit spinnersBuilders and admins
spinners.runRun / trigger spinners (including starting jobs)Anyone who must launch outreach

A common pattern: supervisors get read + run, while only a smaller builder group gets write.

PermissionAllowsWhen you need it
integrations.readView integrations (channels, AI providers, …)Supervisors who need visibility
integrations.writeCreate and change integrationsAdmins connecting WhatsApp, LLMs, etc.
vault.readView vault entries (secrets are masked)Auditing which secrets exist
vault.writeAdd or update secretsAdmins managing credentials

Prefer Integrations for LLM keys. Use Vault when a step needs a named secret. Treat both as sensitive — write is high privilege.

PermissionAllowsWhen you need it
dialler.accessDialler admin (lists, routing, desk tools)Supervisors and dialler admins
dialler.agentTake live voice callsDesk agents with presence
conversations.agentReceive and reply to chat sessionsChat agents
conversations.superviseMonitor, transfer, and supervise chatsChat supervisors

Desk agents usually need agent permissions, not full Admin. Supervisors often combine dialler access with analytics read.

PermissionAllowsWhen you need it
analytics.readView analytics dashboardsSupervisors and leads
pca.setupConfigure Post Call Analyzer setupPCA admins
pca.tagsManage analyzer tagsQA / PCA configuration
pca.qaManage QA scorecardQA leads

Split PCA permissions when one team configures intake and another owns the scorecard.

PermissionAllowsWhen you need it
users.manageInvite and manage usersOrg admins
roles.manageCreate and edit custom rolesOrg admins designing access
data_tables.deleteDelete data tablesAdmins only — destructive

data_tables.delete is intentionally separate so builders can import data without permission to destroy tables.

PermissionAllowsWhen you need it
billing.readView billing, plans, and usage metersFinance-aware admins
api_keys.manageCreate and revoke organization API keysDevelopers and admins integrating CRMs

Developers who only manage webhooks may need api_keys.manage without full Admin — still treat keys as production secrets.

Role intentTypical permissions
Desk agentprojects.read, dialler.agent, maybe conversations.agent
Supervisorprojects.read, spinners.read, spinners.run, dialler.access, analytics.read, conversations supervise as needed
Builderprojects.read, spinners.*, integrations.read
Org admin* or broad write + users.manage + roles.manage + billing.read
Integratorapi_keys.manage, projects.read, spinners.read
  • Agents cannot open Billing or delete tables
  • Builders can publish spinners without managing users
  • Integrators can create API keys without full Admin
  • Custom roles are documented for your team’s onboarding
ProblemLikely causeWhat to do
“Button missing”Permission not on roleAdd the key or use a system role
Can see UI but API 403Role changed after loginSign out and back in
PLAN_LIMIT despite AdminPlan meter, not permissionOpen Billing
Over-privileged agentsCopied Admin roleStart from Agent and add only what is needed