User Roles & Permissions
DZDESK uses Role-Based Access Control (RBAC) to manage what users can see and do within the platform.
Overview
Each user is assigned exactly one role that determines their permissions. Roles are hierarchical, with higher roles having all permissions of lower roles plus additional capabilities.
User Roles
Admin
The highest privilege level with full system access.
Capabilities:
- All Agent capabilities, plus:
- Manage users and groups
- Configure SLA policies
- Set working hours and holidays
- Access system settings
- View all audit logs
- Manage tenant configuration
- Configure integrations
Typical Users:
- IT Managers
- System Administrators
- DZDESK Administrators
Agent
Standard support staff role for daily operations.
Capabilities:
- All Viewer capabilities, plus:
- Create new requests
- Edit requests
- Assign requests to self or others
- Change request status
- Add comments and attachments
- View group queues
- Claim unassigned requests
Typical Users:
- Help Desk Technicians
- Support Engineers
- IT Support Staff
Viewer
Read-only access for monitoring and oversight.
Capabilities:
- View requests (scope may be limited)
- View dashboards
- Access reports (if permitted)
- Search requests
- Cannot create or modify data
Typical Users:
- Department Managers
- Executives needing visibility
- Auditors
- Trainees
Permission Matrix
| Permission | Admin | Agent | Viewer |
|---|---|---|---|
| View assigned requests | ✓ | ✓ | ✓ |
| View all requests | ✓ | ✓* | ✗ |
| Create requests | ✓ | ✓ | ✗ |
| Edit requests | ✓ | ✓ | ✗ |
| Delete requests | ✓ | ✗ | ✗ |
| Assign requests | ✓ | ✓ | ✗ |
| Change priority | ✓ | ✓ | ✗ |
| View all users | ✓ | ✓ | ✗ |
| Manage users | ✓ | ✗ | ✗ |
| Manage groups | ✓ | ✗ | ✗ |
| Configure SLA | ✓ | ✗ | ✗ |
| System settings | ✓ | ✗ | ✗ |
| View audit logs | ✓ | Limited | ✗ |
*Agents see requests based on group membership.
Role Assignment
During Provisioning
When users first log in:
- Account is created from identity provider
- Default role is assigned (configurable)
- Administrator can change role as needed
Changing Roles
Administrators change roles via:
- Navigate to Settings > Users
- Find the user
- Click Edit
- Select new role from dropdown
- Save changes
Role changes take effect immediately.
Group-Based Access
Beyond roles, access is refined by group membership:
Group Visibility
- Agents see requests in their groups
- Requests can be assigned to group queues
- Cross-group visibility requires Admin role
Multiple Groups
Users can belong to multiple groups:
- See combined queue from all groups
- Can be assigned requests from any group
- Useful for specialists covering multiple areas
Special User Types
VIP Users
VIP designation adds:
- Priority boost on their requests
- Faster SLA targets
- Special visibility to agents
- Enhanced notifications
See VIP Users for details.
Service Accounts
For API integrations:
- Limited to API access
- No interactive login
- Scoped permissions
- Audit logged separately
Best Practices
Role Assignment
- Principle of Least Privilege: Assign minimum necessary role
- Regular Review: Audit role assignments periodically
- Documentation: Document why users have specific roles
- Separation of Duties: Don't give everyone Admin access
Group Organization
- Create groups based on expertise areas
- Keep groups focused and manageable
- Avoid excessive group overlap
- Review group membership regularly
Security Considerations
- Limit Admin accounts
- Use named accounts (not shared)
- Review access when roles change
- Remove access promptly for departures
Troubleshooting
User Can't See Requests
- Check user's role
- Verify group membership
- Confirm request is in user's group
User Can't Perform Action
- Review role permissions
- Check if feature is admin-only
- Verify user is active
Role Change Not Working
- Ensure you have Admin role
- User may need to log out/in
- Check for sync issues with identity provider
Related Topics
- User & Group Management - Managing users
- Groups & Teams - Group configuration
- Role Hierarchy - Advanced role setup