Roles & Permissions Model
This document defines how access is controlled across the ConversionIQ platform.
Page docs must reference this file in their User roles & permissions section.
Concepts
Section titled “Concepts”- Organization: top-level enterprise entity (may own many workspaces).
- Workspace: operational unit (brand/business unit) where day-to-day work happens.
- Role: named collection of permissions.
- Permission: capability token (e.g.,
channels.connect,kb.edit,billing.manage).
Recommended baseline roles (MVP)
Section titled “Recommended baseline roles (MVP)”- Org Admin: manages org/workspaces, users, roles, billing.
- Workspace Admin: manages workspace settings, channels, KBs, integrations.
- Manager: manages workflows (Comment Responder, Chatti Live), approvals, reporting.
- Agent: handles conversations/replies assigned to them.
- Analyst (read-only): reporting/analytics access only.
Permission categories
Section titled “Permission categories”- Identity & Access: users, roles, permissions
- Workspaces: create/update workspace settings
- Knowledge Bases: create/edit/publish KBs and mappings
- Channels: connect/manage channels and routing
- Apps: use workflows (Comment Responder, Chatti Live)
- Billing: subscription, payment methods, invoices
- Audit: view/export audit logs
Enforcement rules (strict)
Section titled “Enforcement rules (strict)”- Every API endpoint must validate workspace/org scope + permission.
- UI must hide or disable actions without required permissions.
- Audit-relevant actions must emit audit entries (see
security-compliance.md).