Skip to content

RBAC & User Management

Role-Based Access Control for multi-tenant organizations. Each org has platform users with roles that control what they can see and do.

Roles

Role Permissions Use case
Owner 30 — full control including API keys Org owner / IT head
Admin 29 — everything except API key management IT admin / manager
Manager 14 — view calls, listen recordings, view users, audit log Shift supervisor / department head
Agent 7 — own calls, tickets, click-to-call (no recordings) Receptionist / call agent

Permission matrix

Organisation & Settings

Permission Owner Admin Manager Agent
Edit org settings
Manage API keys
Deploy Asterisk config

Calls & Recordings

Permission Owner Admin Manager Agent
View all call logs
View own calls only
Listen to recordings
Download recordings
Delete recordings

Users & Tickets

Permission Owner Admin Manager Agent
Invite / delete users
Assign roles
View / create tickets
Delete / archive tickets

Compliance

Permission Owner Admin Manager Agent
Set retention policy
View audit log
Handle erasure requests

API endpoints

POST   /api/v1/auth/user-login         Firebase token → role JWT
POST   /api/v1/org-users/invite         Invite user (admin+)
GET    /api/v1/org-users                 List users (manager+)
GET    /api/v1/org-users/me/profile      Own profile (any role)
PUT    /api/v1/org-users/:id/role        Change role (admin+)
DELETE /api/v1/org-users/:id             Remove user (admin+)
GET    /api/v1/roles                     List roles + permissions

Auth flow

User visits editor → email + password → Firebase Auth
    → Firebase ID token
    → POST /api/v1/auth/user-login { firebase_token }
    → Backend verifies token, finds email in org_users
    → Returns JWT with: orgId, userId, role, permissions[]
    → Editor stores JWT, uses for all API calls
    → RBAC middleware enforces per-endpoint

Database

CREATE TABLE org_users (
  id CHAR(36) PRIMARY KEY,
  org_id CHAR(36) NOT NULL,
  email VARCHAR(255) NOT NULL,
  name VARCHAR(255) NOT NULL,
  role ENUM('owner','admin','manager','agent') DEFAULT 'agent',
  status ENUM('active','suspended','invited') DEFAULT 'invited',
  firebase_uid VARCHAR(128),
  extension VARCHAR(10),       -- links to SIP extension (optional)
  UNIQUE KEY (org_id, email)
);

Code

  • Permission matrix: src/middleware/rbac.js
  • User management endpoints: src/server.js (search org-users)
  • Editor sign-in: app/dashboard/page.tsx
  • Role permissions page: app/dashboard/[orgId]/roles/page.tsx