Settingsbeginner

What are Roles and Permissions?

Roles bundle permissions; users get assigned roles. Atender ships 5 standard roles (Owner, Team Lead, Agent, Reader, Analytics) and lets you create custom roles with granular control over 60+ permissions across 8 categories.

4 min read

What are Roles and Permissions?

Roles and Permissions give you control over what each user can see and do in Atender. The model is two layers:

  • Permissions — Individual capabilities — “view conversations,” “edit settings,” “create API keys.” 60+ of them, organized into 8 categories.
  • Roles — Named bundles of permissions — “Agent” includes the conversation-handling permissions; “Admin” includes settings access.

Users are assigned one or more roles. Their effective permissions are the union of permissions across their roles.

5 standard roles ship out of the box

  • Owner — Full unrestricted access. Cannot be modified. — Founders, primary admins; the role that can grant all other roles
  • Team Lead — Supervisor-level access — analytics, monitor, team management — Team leads, shift supervisors
  • Agent — Conversation handling, customer interaction, day-to-day tools — Frontline agents
  • Reader — Read-only across the workspace — Auditors, occasional reviewers, observers
  • Analytics — Analytics + reporting access, no conversation editing — Analysts, BI users, leadership reviewing data

See the standard roles reference for what each includes in detail.

Custom roles for your specific shape

Beyond the standard roles, you can create custom roles tailored to your organization:

  • A Quality Reviewer who can view conversations and add internal notes but can’t reply to customers
  • A Billing Specialist with full access to billing-related conversations and settings, none elsewhere
  • A Beta Tester with broad permissions plus access to beta features

Each custom role:

  • Has a name and description
  • Picks from the 60+ available permissions
  • Shows its usage count — how many users currently have it assigned
  • Can be edited or deleted (standard roles can’t be deleted; only Owner can’t be edited)

See Create a custom role.

Permissions are categorized

Permissions are grouped into 8 categories. Each category expands to show individual toggles, with a “select all” / “deselect all” at the category level for quick role setup:

  • Conversations — view, reply, assign, close/reopen, tag, note, forward, merge, bulk
  • Notes — internal notes on conversations, contacts, cases
  • Contacts — read, create, edit, delete contacts; manage CRM data
  • Teams — create / edit teams, manage membership
  • Users — invite, edit, deactivate users; manage roles
  • Analytics — view dashboards, export data, view audit logs
  • Settings — workspace, channels, integrations, AI, admin sub-categories
  • Modules — Cases, Monitor, etc. — feature-specific access toggles

See the permission categories reference for the full catalog.

Per-tenant scoping

Roles and permissions are scoped to the tenant. A user with Agent in Tenant A is not automatically Agent in Tenant B. Each tenant has its own roles, its own users, and its own role-to-user assignments. (Most tenants only have one tenant, so this distinction matters most for multi-tenant operators.)

What’s NOT supported today

A few things to set expectations:

  • Per-team permission scoping — you can’t grant “Admin of Team A but Agent of Team B” today. A user’s role applies tenant-wide.
  • SSO / SAML — Atender uses email-based invites and passwords (via Supabase auth). No SAML federation yet.
  • 2FA — not currently exposed as a tenant configuration option.

If you have a specific need that doesn’t fit, the workaround is usually a custom role with the exact permissions, applied tenant-wide, paired with team membership and assignment-based scoping for what conversations they handle rather than what they can do in the app.

Where to start

Tags

Getting StartedConcept
Back to Settings