Role-Based Access Control (RBAC)
Understand how roles and permissions control access to features across Email, SMS, RCS and WhatsApp on the Netcore CPaaS dashboard.
Overview
Netcore CPaaS uses Role-Based Access Control (RBAC) to manage what each team member can see and do within the platform. Admins assign one or more roles to each user, and those roles determine which screens, features, and actions are available to them across Email, SMS, RCS and WhatsApp.
RBAC in CPaaS is designed to be simple, consistent, and cross-channel. The same roles apply regardless of which channel a user is working in.
Note
Only Admin users can assign or modify roles. Role assignments are managed through Settings > Access Management.
Key Concepts
Multiple Roles Per User
Each user can hold one or more roles simultaneously. Permissions are additive, so a user with both Analyst and Marketing roles receives all permissions from both. When you assign the Admin role, it automatically grants full access and disables individual permission selection.
Cross-Channel Roles
All roles apply uniformly across Email, SMS, and WhatsApp. There are no separate per-channel configurations. A user's access to a channel is determined entirely by their assigned roles.
Admin Protection
The Admin role comes with built-in safety guardrails. The last remaining Admin on an account cannot be removed or downgraded, and the primary account owner's Admin role is permanently immutable. This prevents accidental account lockout.
System Roles
CPaaS provides eight pre-defined system roles. Each role is described below, along with the capabilities it grants across channels.
Admin
Full access to all features and settings across Email, SMS, WhatsApp, and RCS. Admins are also responsible for managing users and roles through Access Management.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| Full rights, equivalent to the account owner | ✓ | ✓ | ✓ | ✓ |
| Access Management (invite/edit / remove users) | ✓ | ✓ | ✓ | ✓ |
| All settings and configurations | ✓ | ✓ | ✓ | ✓ |
| Billing and invoices | ✓ | ✓ | ✓ | ✓ |
| All integrations and webhooks | ✓ | ✓ | ✓ | ✓ |
Admin Rule
At least one Admin must exist at all times. The last Admin cannot be removed or downgraded until a second Admin is promoted.
Analyst
Read-only access focused on analytics, reporting, and monitoring. Ideal for data analysts and reporting teams who need visibility without the ability to make changes.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| View live feed | ✓ | ✓ | ✓ | ✓ |
| Download live feed | — | ✓ | ✓ | ✓ |
| View analytics and subaccount analytics | ✓ | ✓ | ✓ | ✓ |
| View/download reports | ✓ | ✓ | ✓ | ✓ |
| View/download dashboard | ✓ | ✓ | ✓ | ✓ |
| View/download blocklist | — | ✓ | ✓ | ✓ |
| View suppression/tag list | ✓ | — | — | — |
| View warmup details | ✓ | — | — | — |
| Manage mail alerts | ✓ | — | — | — |
Marketer
Focused on campaign execution and audience management. Marketing users can create and manage campaigns and templates, but do not have access to integrations or billing.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| View live feed and analytics | ✓ | ✓ | ✓ | ✓ |
| View / download reports | ✓ | ✓ | ✓ | ✓ |
| View / download dashboard | — | ✓ | ✓ | ✓ |
| View / download blocklist | — | ✓ | ✓ | ✓ |
| View and edit suppression list | ✓ | — | — | — |
| Full access to template section | — | ✓ | ✓ | ✓ |
| Full access to campaign section | — | ✓ | ✓ | ✓ |
Developer
Broad technical access covering all operational and integration features. Ideal for developers and technical team members. The Developer role excludes billing information to maintain financial data separation.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| All access except billing information | ✓ | ✓ | ✓ | ✓ |
| Integrations and webhooks | ✓ | ✓ | ✓ | ✓ |
| Campaign and template management | ✓ | ✓ | ✓ | ✓ |
| Suppression and consent list management | ✓ | ✓ | ✓ | ✓ |
Designer
Focused on content creation and template management. Designers can build, edit, and duplicate templates and access content configuration, but cannot manage campaigns or settings.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| Create and modify templates | ✓ | ✓ | ✓ | ✓ |
| Full access to the template section | — | ✓ | ✓ | ✓ |
| Content configuration access | ✓ | ✓ | ✓ | ✓ |
Suppression
Focused on list hygiene and compliance. Designed for compliance officers or operations staff who manage who receives communications.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| Manage suppression lists | ✓ | — | — | ✓ |
| Manage consent lists | — | ✓ | ✓ | — |
Support
Read-only access for customer support and operations teams. Support users can monitor live activity and view warmup details but cannot make changes to any configuration.
| Capability | SMS | RCS | ||
|---|---|---|---|---|
| View live feed | ✓ | ✓ | ✓ | ✓ |
| View warmup details | ✓ | — | — | — |
Role Summary
The table below provides a quick comparison of all system roles and their high-level access scope.
| Role | Primary Use Case | Billing Access | Campaign Access | Settings / Admin |
|---|---|---|---|---|
| Admin | Full platform management | ✓ | Full | ✓ |
| Analyst | Reporting and monitoring | ✗ | View only | ✗ |
| Marketer | Campaign execution | ✗ | Limited | ✗ |
| Accountant | Finance and billing operations | ✓ | None | ✗ |
| Developer | Technical / developer access | ✗ | Full | ✗ |
| Designer | Template and content creation | ✗ | None | ✗ |
| Suppression | List hygiene and compliance | ✗ | None | ✗ |
| Support | Monitoring and support | ✗ | View only | ✗ |
Assigning and Editing Roles
Roles can be assigned when inviting a new user or updated at any time for existing users through Access Management.
Invite Users
Follow the steps given below to assign roles to your team members.
- Navigate to Settings > Access Management.
- Click Invite User.
- Enter the user's email address and username.
- In the role selector, check one or more roles to assign.
- If you select Admin, all individual role checkboxes are automatically disabled. Admin grants full access by default.
- Click SEND INVITE.
Editing Roles for Existing Users
Follow the steps given below to update roles for existing users.
- Navigate to Settings > Access Management.
- Find the user in the list and click ⋮ (more options).
- Select Edit User.
- Update the role selection using the checkboxes.
- Click Save to apply changes.
Admin Safety
You cannot remove the Admin role from the last remaining Admin or from the primary account owner. Assign another Admin first before making changes.
Enterprise and Feed Access for SMS
For clients with SMS enabled, RBAC supports an additional level of access control that restricts a user to specific enterprises and feeds. This lets Admins scope a user's reporting and visibility down to the exact set of feeds they are responsible for, rather than the entire account.
Note
The Enterprise and Feed selection is only available when SMS is enabled for the client. For accounts without SMS, this section does NOT appear on the user creation and edit screens.
Access Hierarchy
SMS access follows a defined hierarchy:
Enterprise: The top level. Enterprises are mapped to a client when the SMS panel is provisioned.
Feed: The second level. Each enterprise contains one or more feeds.
Sender ID : The third level. Sender ID is not used for access scoping in RBAC.
RBAC scopes access at the Enterprise and Feed levels only. Sender ID is not part of user-level access control.
Enterprise-Level Access
Enterprise selection is the base level of SMS access control.
When you assign an enterprise to a user, all feeds associated with that enterprise are populated for the user.
A user mapped at the enterprise level sees all feeds under the selected enterprise in their reporting and dashboards.
Enterprise selection is client-controlled. If a client does not opt for feed-level granularity, users have enterprise-level selection only.
Feed-Level Access
Feed selection adds granular control on top of enterprise selection.
After selecting an enterprise, the feeds associated with that enterprise are populated for selection.
An Admin can restrict a user to specific feeds within the enterprise rather than granting all feeds.
A user restricted to specific feeds sees only those feeds in their reporting, dashboards, and live feed.
For example, if an enterprise contains ten feeds and you create user ABC with access to only two of those feeds, ABC sees data for only those two feeds after logging in.
Important Point to Remember
Feed selection is optional and client-controlled. Feeds are not mandatory. If a client opts in to feed-level access, the relevant feeds must be selected during user creation or edit. If the client does not opt in, only enterprise-level selection applies.
Assigning Enterprise and Feed Access
Follow the steps given below to scope a user to specific enterprises and feeds during invite or edit.
- Navigate to Settings > Access Management.
- Begin inviting a new user or editing an existing user.
- In the Enterprise dropdown, select one or more enterprises, or use Select All.
If feed-level access is enabled for the client, the Feed dropdown populates with the feeds associated with the selected enterprises.
- Select the specific feeds the user should have access to, or use Select All to grant all feeds.
Save the invite or the changes.
After login, the user sees only the enterprises and feeds assigned to them across reporting, dashboards, and live feed.
