Roles and Permissions
Manage access control by creating roles and assigning permissions that determine what actions agents can perform in Convrs.
Convrs uses Role-Based Access Control (RBAC), an industry-standard security model where permissions are assigned to roles rather than individual users. Each agent is assigned one or more roles, and inherits all permissions associated with those roles. This approach simplifies access management, improves security, and supports compliance requirements.
Understanding Roles and Permissions
Learn the key concepts behind role-based access control and how it works in Convrs.
What is Role-Based Access Control?
Role-Based Access Control (RBAC) is a security model that restricts system access based on the roles assigned to users. The three fundamental components are:
- Users (Agents) - The people who need access to the system
- Roles - Named collections of permissions that represent job functions or responsibilities
- Permissions - Specific actions or capabilities that can be granted or denied
Instead of assigning permissions directly to each agent, you assign permissions to roles, then assign roles to agents. This creates a layer of abstraction that makes access management more scalable and maintainable.
The Principle of Least Privilege
The principle of least privilege is a fundamental security concept that states users should only be granted the minimum permissions necessary to perform their tasks. When configuring roles:
- Start with minimal permissions and add more only when needed
- Avoid granting broad administrative access when specific permissions would suffice
- Regularly review and remove permissions that are no longer required
Following this principle significantly reduces the risk of security breaches and data exposure.
Default Roles
Convrs comes with pre-configured roles that cover common use cases:
- Admin - Full administrative access to all system features and settings
- Agent - Standard agent permissions for handling chats and customer interactions
You can use these default roles as-is, modify their permissions, or create custom roles tailored to your organization's needs.
Managing Roles
Create and delete roles to match your organization's structure and access requirements.
Create a New Role
Create a custom role to define a specific set of permissions for a group of agents.
Steps:
- Navigate to Administration > Roles and Permissions.
- In the Create New Role section, enter a name in the Role Name field.
- Click the Create New Role button.
Result: The new role is created with no permissions. You must then assign permissions to the role before it becomes useful.
- Use descriptive names that reflect the business function rather than job titles (e.g., "Customer Data Management" instead of "Sales Manager")
- Plan your role structure before creating roles to avoid role proliferation
- Consider creating roles based on stable business functions that won't change with organizational restructuring
Delete a Role
Remove a role that is no longer needed.
Steps:
- Navigate to Administration > Roles and Permissions.
- In the Delete a Role section, select the role from the dropdown.
- Click the Delete Role button.
Result: The role is permanently deleted and will no longer be available for assignment.
- Before deleting, check Agent Management to identify which agents have the role assigned
- Consider whether the role's permissions should be merged into another role before deletion
- Document the reason for deletion for audit purposes
Managing Permissions
Assign or remove permissions from roles to control what actions agents can perform.
Assign Permissions to a Role
Configure which permissions are granted to agents who have a specific role.
Steps:
- Navigate to Administration > Roles and Permissions.
- In the Permissions for Role section, select a role from the Role dropdown.
- Use the dual list selector to move permissions between Available Permissions and Selected Permissions.
- Select permissions in the left list and click the arrow buttons to add them to the role.
- Select permissions in the right list and click the arrow buttons to remove them from the role.
- Click the Update Permissions for Role button to save your changes.
Result: The role is updated with the new permission set. All agents assigned to this role will immediately have access to the newly granted permissions (or lose access to removed permissions).
- Apply the principle of least privilege - only grant permissions that are truly needed
- Test permission changes with a single user before applying to critical roles
- Document the business justification for each permission assignment
Best Practices
Industry-standard guidelines for effective role and permission management.
Role Design Principles
Well-designed roles make access management easier and more secure:
- Align with business functions - Design roles around stable business functions rather than job titles. This ensures roles remain relevant even as your organization evolves.
- Use the 80/20 rule - If 80% of users with a role need 80% of its permissions, your role granularity is appropriate. If not, consider splitting or consolidating roles.
- Avoid role explosion - Too many roles increases administrative overhead and the risk of errors. Consolidate similar roles when possible.
- Allow multiple roles per user - Instead of creating a combined "Support-Admin" role, assign both "Support Agent" and "Admin" roles separately. This provides flexibility without bloating role definitions.
Regular Access Reviews
Periodic reviews help ensure roles align with current business needs and identify security risks:
- Quarterly reviews - Assess both role definitions and individual role assignments at least quarterly
- Review on role change - When an agent changes job function, review and update their role assignments
- Audit permission usage - Identify permissions that are rarely or never used and consider removing them
- Remove stale access - Promptly revoke access when agents leave the organization or change roles
Security Considerations
Protect your organization by following these security guidelines:
- Limit administrative roles - Keep the number of users with full administrative access to an absolute minimum
- Separate duties - Avoid giving a single role conflicting permissions (e.g., both creating and approving actions)
- Document changes - Maintain records of role and permission changes for compliance and audit purposes
- Test before deploying - Test permission changes in a controlled manner before applying to production roles
Permission Reference
A complete list of all available permissions in Convrs, organized by functional area.
Administration Permissions
Permissions for managing system-wide settings and configurations.
| Permission | Description |
|---|---|
| AdminBusinessUnit | Allows the creation and deletion of business units |
| AdminChatCategorization | Allows the creation and deletion of chat categorization |
| AdminOrganization | Allows editing options for organization-wide controls including: setting office hours and time zone, agent chat handling option, and password policy |
| AdminRolesAndPermissions | Allows the creation and deletion of roles within the dashboard as well as their corresponding permissions |
| OrganizationDashboard | Allows access to view high level summary of the following: bots, agents, flows, users, inbound messages, and outbound messages |
| Reports | Allows access to pull and view reports |
| TagManagement | Allows the creation and management of tags for organizing chats and users |
Agent Management Permissions
Permissions for managing agents and viewing agent-related information.
| Permission | Description |
|---|---|
| AgentManagementAddAgent | Allows creation of new agents within the dashboard |
| AgentManagementAgentStatus | Allows to view the current status of all agents within the dashboard (online, offline, busy, disabled) |
| AgentManagementBotChatHistory | Shows a user's chat history in a specific bot they interacted with |
| AgentManagementBulkAdd | Allows bulk adding of multiple agents at once via CSV upload |
| AgentManagementChatHistory | Shows a specific agent's chat history |
| AgentManagementEditAgent | Allows editing of all agent details (name, business unit, language, role, maximum no. of allowed chats) and allows password resetting |
| AgentManagementReplies | Allows creation of organization-wide standard replies |
| AgentManagementUserChatHistory | Allows to search for a specific user through name or email address, and view the transcript of their chat. Columns include DateTime, Agent, Message Type (User or Agent), Message and the translated message if any |
| AgentProfileEditing | Allows the agent to edit general information on their personal profile including: their name within the dashboard, their public name to be shown on web chat only, their language code to be used for the translate function, and their landline and mobile phones |
| TeamStatus | Allows to see who is currently online and is viewed on the side bar |
Chat Permissions
Permissions related to handling and managing customer conversations.
| Permission | Description |
|---|---|
| AcceptWaiting | When a chat is sticky and the agent is not online, other agents can then accept a chat waiting for an agent |
| AgentChat | Allows to accept and respond to chats |
| AgentChatAllowCloseAll | Allows the agent to close all their open chats |
| AgentChatAllowOwnReplies | Allows agents to create/maintain their own quick replies |
| AgentChatAllowTransfer | Allows the agent to transfer chats to other agents or business units |
| AgentChatAllowTranslate | Allows the agent to use the translate function |
| AgentChatAllowUserPanel | Allows the agent to view and edit user information in the side panel during a chat |
| AgentChatDeleteMessage | Allows the agent to delete messages from a conversation |
| AgentSupervise | Allows viewing all of the active chats within the dashboard as well as transferring of chats, whispering to agents, etc. |
| AgentSuperviseSeeAllChats | Allows supervisors to see all chats across all business units in the supervise view |
| AgentViewBotLog | Allows viewing the bot interaction log for a user to see their journey through the bot |
| ChatsAll | Shows all closed chats within the dashboard. This permission is usually set for Agent Managers and higher |
| ChatsMy | Shows the agent all of their closed chats |
User Management Permissions
Permissions for managing end users (customers) in the system.
| Permission | Description |
|---|---|
| AgentBlockUser | Allows agent to block a user |
| AgentUnblockUser | Allows agents to unblock a user |
| DeleteUser | Allows deleting of users (not recommended) |
| TagAddRemove | Allows agents to add and remove tags from chats and users |
| UnstickUser | Allows unsticking users from individual agents or through bulk action |
| Users | Allows access to view ALL users created within the dashboard in a chronological manner. Allows to search a user by name, email, phone, or user id |
Bot and Flow Permissions
Permissions for creating and managing bots and conversation flows.
| Permission | Description |
|---|---|
| BotsCreate | Allows creation of different bots (Web Chat, WhatsApp Web, WhatsApp API, Telegram, LINE, SMS, Viber, Messenger) |
| BotsShowAll | Allows to view and edit all bots created within the dashboard |
| FAQ | Allows access to create and manage FAQ entries for knowledge base articles |
| FlowCreate | Allows creation of flows |
| FlowEdit | Allows editing of flows |
| FlowShowAll | Allows viewing of all created flows |
| FlowViewLog | Shows the log of the users, which bot they interacted with, as well as the time stamp of their last activity |
| KnowledgeBase | Allows the creation and editing of a Knowledgebase |
Channel and Integration Permissions
Permissions for managing communication channels and third-party integrations.
| Permission | Description |
|---|---|
| Integration360Dialog | Allows access to integrate 360Dialog WhatsApp API into Convrs |
| IntegrationFacebook | Allows access to integrate Facebook pages to Convrs for Facebook Messenger |
| IntegrationSalesforce | Allows access to integrate Salesforce into Convrs |
| ManagePhones | Allows access to view and connect WhatsApp Web bots to devices |
| SalesForce | Allows access to integrate Salesforce into Convrs |
| WebWidget | Allows access to creating and editing web widgets |
Messaging Permissions
Permissions for outbound messaging and campaigns.
| Permission | Description |
|---|---|
| Campaign | Allows access to create and manage messaging campaigns |
| Publish | Allows bulk messaging, but it needs to be set up per broker as some messaging apps don't allow publish after 24 hours so it needs configuration so channels don't get blocked |
| SMSOutbound | Allows access to send SMS messages |
| Allows access to WhatsApp outbound solution | |
| WhatsAppAPI | Different from the WhatsApp outbound solution. More of an inbound solution that uses templates. Contact your Convrs representative |
Advanced Permissions
Permissions for advanced features and API access.
| Permission | Description |
|---|---|
| AIWritingAssistant | Allows the agent to use the AI writing assistant to help compose responses |
| ConvrsAPI | Enables the use of the Convrs API |
| NativeApp | Allows access to native mobile app features |
| Portal | Allows access to the portal features for external user access |