Overview

Core uses role-based access control (RBAC) to manage what users can see and do. Assign roles to team members to grant appropriate permissions based on their responsibilities.

Built-in Roles

Role Hierarchy

Core includes these built-in roles, from most to least permissive:

Role	Description
Owner	Full access including billing and danger zone
Super Admin	Full access except billing management
Admin	Manage users, settings, and all operations
Manager	View reports, manage assignments, some settings
Billing Administrator	View all time; create and edit contracts, financials, and reports; no user or system settings
Billing (Read-only)	View all time entries, customers, contracts, financials, and reports; export data; cannot create or edit
Technician	Work on tickets, time tracking, basic operations
Member	View and interact with assigned items
Observer	Read-only access for auditing

Owner

The workspace owner can:

Everything Super Admin can do
Manage billing and subscriptions
Delete the workspace
Transfer ownership

Only one owner per workspace.

Super Admin

Super Admins can:

Everything Admin can do
Manage all users including Admins
Access all settings
Cannot access billing or delete workspace

Admin

Admins can:

Manage users (except Admins/Super Admins)
Configure settings and integrations
Access all tickets and customers
Generate all reports
Manage automations

Manager

Managers can:

View and manage team workload
Run performance reports
Assign and reassign tickets
Access limited settings
Cannot modify user roles or critical settings

Technician

Technicians can:

View and work on tickets
Log time entries
Access knowledge base — create and edit articles, manage spaces
View customer information
Update their own profile

Member

Members can:

View assigned tickets
Add notes and updates
Access knowledge base
Limited customer visibility
Cannot view contracts or financial records

Billing Administrator

Billing Administrators can:

View all time entries across the tenant
Create, edit, and delete contracts and contract links
Create, edit, and delete financial records and billing units
Create and export reports
View customers, contacts, projects, and tickets (read-only for these)
Cannot manage user roles, system settings, or tenant billing

Billing (Read-only)

Billing (Read-only) users can:

View all time entries across the tenant
View customers, contracts, financial data, and reports
Export customers and reports
Track their own time
Cannot create or edit any data; useful for billing coordinators or auditors

Observer

Observers can:

Read-only access to tickets
View reports (no export)
Cannot create or modify data
Useful for auditors or stakeholders

Permissions

Permission Categories

Permissions are organized by area:

Category	Examples
Tickets	Create, read, update, delete
Customers	View, manage contacts
Assets	View, manage
Reports	View, export, create custom
Users	View, manage, invite
Settings	View, modify
Billing	View, manage

Permission Levels

Each permission can have levels:

None: No access
Read: View only
Write: Create and edit
Manage: Full control including delete
Own: Access to own items only

Common Permissions

Permission	Description
`tickets:read`	View tickets
`tickets:create`	Create new tickets
`tickets:update`	Edit ticket details
`tickets:delete`	Remove tickets
`tickets:assign`	Assign tickets to users
`customers:read`	View customer information
`customers:manage`	Create and edit customers
`assets:read`	View assets
`assets:manage`	Create and edit assets
`time:track`	Log time entries

Assigning Roles

Setting User Role

Assign a role to a team member:

Go to Settings > Team
Click on the user
Select Edit Role
Choose the new role
Save changes

Changes take effect immediately.

Role Change Restrictions

Users cannot elevate their own role
Users cannot manage users at their level or above
Owner role requires ownership transfer
Some changes require confirmation

Built-in Roles Are Fixed

Core uses a fixed set of built-in roles. You cannot create or delete roles; you assign one of the built-in roles to each team member. To change what a role can do, an owner would need to update the application configuration (role-permission mappings are maintained by your administrator or support).

Practical Examples

Dispatcher Role

Create a role for ticket dispatchers:

Permissions:
- tickets:read ✓
- tickets:assign ✓
- tickets:update (status only) ✓
- customers:read ✓
- users:view ✓
- reports:view ✓

Account Manager Role

For client relationship managers:

Permissions:
- tickets:read ✓
- tickets:create ✓
- customers:read ✓
- customers:manage ✓
- reports:view ✓
- reports:export ✓
- projects:read ✓

Junior Technician Role

Limited technician access:

Permissions:
- tickets:read ✓
- tickets:update (own only) ✓
- time:track ✓
- assets:read ✓
- knowledge:read ✓

Team Organization

Groups

Organize users into groups:

Go to Settings > Groups
Create groups (e.g., "Level 1 Support", "Projects Team")
Add users to groups
Use groups for assignment and reporting

Permission Inheritance

Users receive permissions from:

Their assigned role (primary)
Group memberships (additive)
Direct grants (exceptions)

More permissive wins - if any source grants permission, user has it.

Security Best Practices

Principle of Least Privilege

Grant minimum permissions needed
Start restrictive, add as needed
Regular permission audits

Access Reviews

Periodically review access:

Run user permission report
Check for excessive access
Remove unnecessary permissions
Document changes

Separation of Duties

For sensitive operations:

Different users for create vs approve
Billing access limited to finance
Critical settings require Admin

Audit Trail

Permission Changes

Track permission modifications:

Go to Settings > Audit Log
Filter by "Permission" or "Role"
See who changed what and when

Access Logs

Monitor user access:

Login events
Failed login attempts
Permission denied events
Sensitive action logging

Permissions & Roles