Role-Based Access Control (RBAC)

Understand how roles and permissions control access to features across Email, SMS, RCS and WhatsApp on the Netcore CPaaS dashboard.

Overview

Netcore CPaaS uses Role-Based Access Control (RBAC) to manage what each team member can see and do within the platform. Admins assign one or more roles to each user, and those roles determine which screens, features, and actions are available to them across Email, SMS, RCS and WhatsApp.

RBAC in CPaaS is designed to be simple, consistent, and cross-channel. The same roles apply regardless of which channel a user is working in.

📘

Note

Only Admin users can assign or modify roles. Role assignments are managed through Settings > Access Management.

Key Concepts

Multiple Roles Per User

Each user can hold one or more roles simultaneously. Permissions are additive, so a user with both Analyst and Marketing roles receives all permissions from both. When you assign the Admin role, it automatically grants full access and disables individual permission selection.

Cross-Channel Roles

All roles apply uniformly across Email, SMS, and WhatsApp. There are no separate per-channel configurations. A user's access to a channel is determined entirely by their assigned roles.

Admin Protection

The Admin role comes with built-in safety guardrails. The last remaining Admin on an account cannot be removed or downgraded, and the primary account owner's Admin role is permanently immutable. This prevents accidental account lockout.

System Roles

CPaaS provides eight pre-defined system roles. Each role is described below, along with the capabilities it grants across channels.

Admin

Full access to all features and settings across Email, SMS, WhatsApp, and RCS. Admins are also responsible for managing users and roles through Access Management.

CapabilityEmailSMSWhatsAppRCS
Full rights, equivalent to the account owner
Access Management (invite/edit / remove users)
All settings and configurations
Billing and invoices
All integrations and webhooks

⚠️

Admin Rule

At least one Admin must exist at all times. The last Admin cannot be removed or downgraded until a second Admin is promoted.

Analyst

Read-only access focused on analytics, reporting, and monitoring. Ideal for data analysts and reporting teams who need visibility without the ability to make changes.

CapabilityEmailSMSWhatsAppRCS
View live feed
Download live feed
View analytics and subaccount analytics
View/download reports
View/download dashboard
View/download blocklist
View suppression/tag list
View warmup details
Manage mail alerts

Marketer

Focused on campaign execution and audience management. Marketing users can create and manage campaigns and templates, but do not have access to integrations or billing.

CapabilityEmailSMSWhatsAppRCS
View live feed and analytics
View / download reports
View / download dashboard
View / download blocklist
View and edit suppression list
Full access to template section
Full access to campaign section

Developer

Broad technical access covering all operational and integration features. Ideal for developers and technical team members. The Developer role excludes billing information to maintain financial data separation.

CapabilityEmailSMSWhatsAppRCS
All access except billing information
Integrations and webhooks
Campaign and template management
Suppression and consent list management

Designer

Focused on content creation and template management. Designers can build, edit, and duplicate templates and access content configuration, but cannot manage campaigns or settings.

CapabilityEmailSMSWhatsAppRCS
Create and modify templates
Full access to the template section
Content configuration access

Suppression

Focused on list hygiene and compliance. Designed for compliance officers or operations staff who manage who receives communications.

CapabilityEmailSMSWhatsAppRCS
Manage suppression lists
Manage consent lists

Support

Read-only access for customer support and operations teams. Support users can monitor live activity and view warmup details but cannot make changes to any configuration.

CapabilityEmailSMSWhatsAppRCS
View live feed
View warmup details

Role Summary

The table below provides a quick comparison of all system roles and their high-level access scope.

RolePrimary Use CaseBilling AccessCampaign AccessSettings / Admin
AdminFull platform managementFull
AnalystReporting and monitoringView only
MarketerCampaign executionLimited
AccountantFinance and billing operationsNone
DeveloperTechnical / developer accessFull
DesignerTemplate and content creationNone
SuppressionList hygiene and complianceNone
SupportMonitoring and supportView only

Assigning and Editing Roles

Roles can be assigned when inviting a new user or updated at any time for existing users through Access Management.

Invite Users

Follow the steps given below to assign roles to your team members.

  1. Navigate to Settings > Access Management.
  2. Click Invite User.
  3. Enter the user's email address and username.
  4. In the role selector, check one or more roles to assign.
  5. If you select Admin, all individual role checkboxes are automatically disabled. Admin grants full access by default.
  6. Click SEND INVITE.

Editing Roles for Existing Users

Follow the steps given below to update roles for existing users.

  1. Navigate to Settings > Access Management.
  2. Find the user in the list and click (more options).
  3. Select Edit User.
  4. Update the role selection using the checkboxes.
  5. Click Save to apply changes.

⚠️

Admin Safety

You cannot remove the Admin role from the last remaining Admin or from the primary account owner. Assign another Admin first before making changes.

Enterprise and Feed Access for SMS

For clients with SMS enabled, RBAC supports an additional level of access control that restricts a user to specific enterprises and feeds. This lets Admins scope a user's reporting and visibility down to the exact set of feeds they are responsible for, rather than the entire account.

📘

Note

The Enterprise and Feed selection is only available when SMS is enabled for the client. For accounts without SMS, this section does NOT appear on the user creation and edit screens.

Access Hierarchy

SMS access follows a defined hierarchy:

Enterprise: The top level. Enterprises are mapped to a client when the SMS panel is provisioned.
Feed: The second level. Each enterprise contains one or more feeds.
Sender ID : The third level. Sender ID is not used for access scoping in RBAC.

RBAC scopes access at the Enterprise and Feed levels only. Sender ID is not part of user-level access control.

Enterprise-Level Access

Enterprise selection is the base level of SMS access control.

When you assign an enterprise to a user, all feeds associated with that enterprise are populated for the user.
A user mapped at the enterprise level sees all feeds under the selected enterprise in their reporting and dashboards.
Enterprise selection is client-controlled. If a client does not opt for feed-level granularity, users have enterprise-level selection only.

Feed-Level Access

Feed selection adds granular control on top of enterprise selection.

After selecting an enterprise, the feeds associated with that enterprise are populated for selection.
An Admin can restrict a user to specific feeds within the enterprise rather than granting all feeds.
A user restricted to specific feeds sees only those feeds in their reporting, dashboards, and live feed.

For example, if an enterprise contains ten feeds and you create user ABC with access to only two of those feeds, ABC sees data for only those two feeds after logging in.

👍

Important Point to Remember

Feed selection is optional and client-controlled. Feeds are not mandatory. If a client opts in to feed-level access, the relevant feeds must be selected during user creation or edit. If the client does not opt in, only enterprise-level selection applies.

Assigning Enterprise and Feed Access

Follow the steps given below to scope a user to specific enterprises and feeds during invite or edit.

  1. Navigate to Settings > Access Management.
  2. Begin inviting a new user or editing an existing user.
  3. In the Enterprise dropdown, select one or more enterprises, or use Select All.

If feed-level access is enabled for the client, the Feed dropdown populates with the feeds associated with the selected enterprises.

  1. Select the specific feeds the user should have access to, or use Select All to grant all feeds.
    Save the invite or the changes.

After login, the user sees only the enterprises and feeds assigned to them across reporting, dashboards, and live feed.