Role Hierarchy
Understand the role hierarchy and permissions in DZDESK.
Role Overview
DZDESK has three built-in roles arranged in a hierarchy:
Admin (Full Access)
│
├── Agent (Standard Operations)
│ │
│ └── Viewer (Read Only)
Each higher role includes all permissions of lower roles.
Admin Role
Permissions
Admins can:
User Management
- Create, edit, deactivate users
- Assign roles to users
- Manage group membership
- Set VIP status
Group Management
- Create and delete groups
- Configure group settings
- Assign group managers
System Configuration
- Configure SLA policies
- Set working hours
- Manage holiday calendar
- Configure integrations
Request Operations
- All Agent permissions
- Delete requests
- Bulk operations
- Override SLA
Reporting & Audit
- Access all reports
- View audit logs
- Export data
- System analytics
Typical Admin Users
- IT Managers
- DZDESK System Administrators
- Service Desk Managers
- Compliance Officers
Best Practices for Admins
- Limit number of Admin accounts
- Use named accounts (not shared)
- Regular review of Admin actions
- Document administrative changes
Agent Role
Permissions
Agents can:
Request Management
- Create new requests
- Edit request details
- Change status
- Assign/reassign requests
- Add comments
- Attach files
Queue Management
- View group queues
- Claim unassigned requests
- Filter and search requests
- Use saved views
Communication
- Add public comments
- Add internal notes
- View request history
Limited Admin
- View user list (not edit)
- See group membership
- Access own activity
Cannot Do
- Create/delete users
- Manage groups
- Configure SLA
- System settings
- View audit logs
- Delete requests
Typical Agent Users
- Help Desk Technicians
- Support Engineers
- IT Support Staff
- Field Technicians
Best Practices for Agents
- Document all actions
- Update status promptly
- Use internal notes appropriately
- Escalate when needed
Viewer Role
Permissions
Viewers can:
Read Access
- View requests (scope may be limited)
- See dashboards
- View reports (if granted)
- Search requests
Cannot Do
- Create requests
- Edit anything
- Assign requests
- Add comments
- Change status
- Access settings
Typical Viewer Users
- Department Managers (oversight)
- Executives (visibility)
- Auditors (review)
- Trainees (learning)
Best Practices for Viewers
- Use for oversight roles
- Consider for new employees
- Upgrade to Agent when ready
- Don't over-use for access restriction
Permission Matrix
| Permission | Admin | Agent | Viewer |
|---|---|---|---|
| Requests | |||
| View assigned | ✓ | ✓ | ✓ |
| View all | ✓ | Group | Limited |
| Create | ✓ | ✓ | ✗ |
| Edit | ✓ | ✓ | ✗ |
| Delete | ✓ | ✗ | ✗ |
| Assign | ✓ | ✓ | ✗ |
| Users | |||
| View list | ✓ | ✓ | ✗ |
| Create/Edit | ✓ | ✗ | ✗ |
| Deactivate | ✓ | ✗ | ✗ |
| Groups | |||
| View | ✓ | ✓ | ✗ |
| Create/Edit | ✓ | ✗ | ✗ |
| Delete | ✓ | ✗ | ✗ |
| Settings | |||
| View | ✓ | Limited | ✗ |
| Modify | ✓ | ✗ | ✗ |
| Reports | |||
| View | ✓ | Limited | Limited |
| Export | ✓ | Limited | ✗ |
| Audit Logs | |||
| View | ✓ | Own | ✗ |
| Export | ✓ | ✗ | ✗ |
Group-Based Access
How Groups Affect Access
Beyond roles, access is refined by group:
- Agents see requests in their groups
- Group membership required for queue access
- Cross-group requires Admin or explicit assignment
Multiple Group Membership
Users in multiple groups:
- See requests from all groups
- Can be assigned from any group
- Combined queue view
Example
Agent in "Hardware" and "Network" groups:
- Sees both queues
- Can claim from either
- Assigned requests from both visible
Changing Roles
Process
- Navigate to Settings > Users
- Find user
- Edit role assignment
- Save changes
Considerations
- Takes effect immediately
- User may need to refresh
- Audit log entry created
- Previous actions unchanged
Demotion
When reducing access:
- User loses permissions immediately
- Active sessions may need refresh
- Historical access preserved in logs
Promotion
When increasing access:
- User gains permissions immediately
- No refresh typically needed
- Consider training needs
Security Recommendations
Admin Accounts
- Minimize: Few people as possible
- Named: No shared Admin accounts
- Monitor: Review Admin actions regularly
- MFA: Enable at identity provider
Agent Accounts
- Appropriate scope: Only needed groups
- Review regularly: Update with role changes
- Train: Ensure understanding of capabilities
Viewer Accounts
- Purposeful: Clear reason for access
- Time-limited: Review continued need
- Upgrade path: Promote when appropriate
Troubleshooting
User Can't Perform Action
- Check user's role
- Verify action is allowed for role
- Check group membership if relevant
- Consider if role change needed
Unexpected Access
- Review user's role
- Check group memberships
- Review any recent changes
- Audit log for role changes
Related Topics
- User & Group Management - Managing users
- User Roles & Permissions - User guide
- Audit Logs - Tracking changes