#Roles & Permissions
#Overview
Every AiDial portal user is assigned a role that determines what they can see and do. Roles are resolved from the signed-in identity and the tenant/project scope attached to the account. Individual users cannot change their own role in the portal.
Route and action permissions are enforced by the portal service, not just by the menu that appears in the browser. If a user tries to access a tenant, project, page, or action outside their scope, the portal returns a restricted or not-found response without exposing whether the resource exists.
#Customer Roles
These roles are for users who belong to a single AiDial client organisation.
#Client Administrator (client_admin)
The primary administrative role for a client organisation. Client administrators have the broadest customer-facing access, scoped to their tenant and assigned projects.
Can access:
- Dashboard analytics
- Calls list and call detail for assigned projects
- Redacted transcript download and call exports
- PII unlock requests on call detail pages
- Recording playback when compliance permits it, and recording download when the tenant has the download entitlement
- Billing overview, invoices, and billing portal for their own tenant
- Support tickets
- Audit log for their own tenant
- Settings, including editable business hours, call limits, IP allowlisting, consent/compliance copy, transfer settings, tenant settings, notification preferences, session management, and data deletion submission
- Team management for viewing members, inviting users, changing roles, and removing users when the Team page is available to your organisation
- Status page
Customer compliance controls are available through call-detail PII unlock flows and approved Settings compliance-copy pages where explicitly permitted.
Multi-factor authentication: Optional (recommended). It may still be required by an explicit tenant or user policy. See Multi-Factor Authentication.
#Client Manager (client_manager)
A senior customer role with broad visibility and limited management capabilities compared with the client administrator.
Can access:
- Dashboard analytics
- Calls list and call detail for assigned projects
- Redacted transcript download and call exports
- PII unlock requests on call detail pages
- Recording playback when compliance permits it, and recording download when the tenant has the download entitlement
- Billing overview, invoices, and billing portal for their own tenant
- Support tickets
- Audit log for their own tenant
- Team route in read-only mode; owners cannot invite users, change roles, or remove users
- Settings profile, notifications, reports, and session management; business hours, call limits, IP allowlisting, consent/compliance copy, transfer settings, tenant settings, data governance, and data deletion are read-only or summary-only depending on the section
- Status page
Key difference from client_admin: Client managers are read-only for team management and most operational settings, and they cannot submit data deletion requests.
Multi-factor authentication: Optional (recommended).
#Client Staff (client_staff)
A standard customer user role for day-to-day operational access.
Can access:
- Dashboard analytics
- Calls list and call detail for assigned projects, with caller data masked and caller search disabled
- Redacted transcript download and call exports
- Recording playback only when the staff playback policy allows it; staff cannot download recordings
- Support tickets
- Settings profile, notification preferences, and session management
- Status page
Cannot access:
- Billing
- Team management
- Audit log
- PII unlock requests
- Recording download
- Most settings sections, including business hours, call limits, IP allowlisting, consent/compliance copy, transfer settings, tenant settings, data governance, and data deletion
Multi-factor authentication: Optional (recommended).
#Customer Role Comparison
| Feature | Client Admin | Client Manager | Client Staff |
|---|---|---|---|
| Dashboard | Full | Full | Full |
| Call history and detail | Full | Full | Redacted |
| Caller search / full caller display | Yes | Yes | No / masked |
| Redacted transcript download | Yes | Yes | Yes |
| PII unlock requests | Yes | Yes | No |
| Recording playback | Compliance-gated | Compliance-gated | Policy-dependent |
| Recording download | Entitlement-gated | Entitlement-gated | No |
| Call exports | Yes | Yes | Yes |
| Billing overview and invoices | Yes | Yes | No |
| Billing portal | Yes | Yes | No |
| Support tickets | Yes | Yes | Yes |
| Team - view members | Yes | View only | No |
| Team - invite and manage | Yes | No | No |
| Settings - profile | Edit | Edit | Edit |
| Settings - notifications | Edit | Edit | Edit |
| Settings - reports | View | View | View |
| Settings - business hours | Edit | View | No |
| Settings - call limits | Edit | View | No |
| Settings - IP allowlist | Edit | View | No |
| Settings - consent/compliance copy | Edit | View | No |
| Settings - transfer settings | Edit | View | No |
| Settings - tenant settings | Edit | View | No |
| Settings - data governance | View | Summary view | No |
| Settings - session management | Yes | Yes | Yes |
| Settings - data deletion | Submit | View | No |
| Audit log | Yes | Yes | No |
| Status page | Yes | Yes | Yes |
| MFA required | No, unless explicitly required | No | No |
#Partner Roles
These roles are for partner organisations that manage assigned AiDial client accounts. See Tenant Scoping for how partner access works across multiple clients.
Partner access is always scoped server-side to assigned clients/projects. Partner routes that require a target client use explicit client selection; out-of-scope client or project IDs are denied without revealing whether the resource exists.
#Partner Administrator (partner_admin)
The primary partner role with management access across assigned client accounts.
Can access:
- Dashboard analytics for assigned clients/projects
- Calls list and call detail metadata for assigned clients/projects
- Call cost/performance data and call exports for assigned clients/projects
- Billing overview, invoices, and billing portal for an explicitly selected assigned client
- Support tickets scoped to assigned clients
- Partner team member management
- Clients page for assigned-client visibility, partner-managed client profiles, and partner-user assignment workflows
- Projects workspace for assigned clients, including edit/publish operations
- Webhook integrations route, with create, update, delete, rotate-secret, and test actions
- Settings summaries for assigned clients, with read-only business hours, call limits, consent/compliance copy, transfer settings, and editable data governance
- Capacity overview/history for assigned clients
- Status page
Partner administrators do not receive customer transcript download, PII unlock, or recording access permissions.
Multi-factor authentication: Required. See Multi-Factor Authentication.
#Partner User (partner_user)
A read-only partner role with limited visibility across assigned client accounts.
Can access:
- Dashboard analytics for assigned clients/projects
- Calls list and call detail metadata for assigned clients/projects
- Support tickets scoped to assigned clients
- Partner team in read-only mode
- Clients page in read-only mode for assigned clients
- Projects workspace in read-only mode
- Webhook integrations in read-only mode
- Settings summaries for assigned clients, including business hours, call limits, consent/compliance copy, transfer settings, and data governance
- Capacity overview/history for assigned clients
- Status page
Cannot access:
- Billing
- Call exports
- Call cost/performance data
- Customer transcript download, PII unlock, or recording access
- Project, webhook, or partner-team mutation actions
- Settings editing
Multi-factor authentication: Optional (recommended).
#Partner Role Comparison
| Feature | Partner Admin | Partner User |
|---|---|---|
| Dashboard | Full | Full |
| Call history and detail metadata | Yes | Yes |
| Transcript download / PII unlock / recording access | No | No |
| Call cost and performance data | Yes | No |
| Call exports | Yes | No |
| Billing | Yes, explicit assigned client | No |
| Support tickets | Yes | Yes |
| Partner team - view | Yes | View only |
| Partner team - manage | Yes | No |
| Clients page | Manage assigned partner clients | View assigned clients |
| Projects workspace | Edit | View |
| Webhook integrations | Manage | View |
| Settings - business hours / call limits / compliance copy / transfer | View | View |
| Settings - data governance | Edit | View |
| Capacity overview/history | Yes | Yes |
| Status page | Yes | Yes |
| MFA required | Yes | No |
#AiDial Operations Roles
AiDial also has operations-only roles for approved internal support and administration work. These roles are not assigned to customer or partner users and do not use the standard customer or partner portal routes. MFA is required for operations-only roles.
#How Roles Are Assigned
Roles are assigned by your organisation's administrator or by AiDial during account setup. Role changes are not self-service inside the portal; if your role is incorrect, contact your organisation's administrator or AiDial support.