Roles & Permissions#
Novaza SSO uses a Role-Based Access Control (RBAC) model. Permissions are granted to roles, and roles are assigned to users. This makes it easy to manage access for large teams — instead of configuring permissions per user, you configure a small set of roles and assign users to them.
Built-In Roles#
Every workspace starts with these default roles:
| Role | Description |
|---|---|
| Owner | Full access to all products and settings; can manage billing. Only one owner per workspace. |
| Administrator | Full access to all products and settings; cannot manage billing or transfer ownership. |
| Member | Standard access to products the user has been granted access to; no access to global settings. |
| Guest | Read-only access to specific namespaces or channels as explicitly configured. |
Built-in roles cannot be deleted, but their permissions can be reviewed (not modified). For custom permission sets, create additional roles.
Creating Custom Roles#
- Go to SSO → Roles → New Role.
- Enter a Role Name (e.g.,
Sales Manager,Support Agent,Finance Viewer). - Assign permissions from the permission matrix — organized by product and feature area.
- Click Save.
Custom roles appear in the role assignment dropdown when creating or editing users.
Per-Product Role Model#
Permissions are applied per product. Each product (Office, Desk, Pulse, Live, Mail, Personeo) has its own internal role model with its own role names and scope of control. Novaza SSO assigns a user to one or more roles per product, and the product enforces what that user can do once they are inside.
Office roles#
Office defines namespace-scoped roles such as Namespace Admin, Module Editor, and Read-only Viewer. Permissions are configured per module (read, create, update, delete) and can be further restricted to specific fields.
Desk roles#
Desk defines workspace-scoped roles: Administrator (manages channels, SLA, automation, and other agents) and Agent (responds to conversations). Team-scoped assignments further control which inboxes an agent can see.
Pulse roles#
Pulse defines roles for managing subscribers, building templates, and launching campaigns. Read-only access to analytics can be granted without granting send permissions.
Live roles#
Live controls who can place or receive calls and who can access call recordings.
SSO roles#
SSO itself has Owner, Administrator, Member, and Guest as the workspace-level roles described above. These determine who can create users, manage product role assignments, and configure workspace-wide settings.
There is no unified cross-product permission string. When you assign a user a role, you choose from the roles defined by each product individually.
Role Assignment#
Assign roles to a user from their profile page (SSO → Users → [user] → Roles) or from the role detail page (SSO → Roles → [role] → Members). A user can have multiple roles; their effective permissions are the union of all assigned roles.
Multi-Factor Authentication Enforcement#
You can require MFA for all users assigned to a specific role:
- Go to SSO → Roles → [role] → Security.
- Toggle Require MFA to on.
- Users with this role who have not yet set up MFA will be forced to configure a TOTP authenticator app on their next login.
We recommend enabling MFA enforcement for all roles with administrative permissions.
Role Delegation#
Users with the sso.roles.manage permission can assign roles to others, but only roles that are equal to or below their own permission level. This prevents privilege escalation — a Support Administrator cannot grant someone the global Administrator role.