.svg){kind=logo}
Organizations
Role-based access control (RBAC)
Understanding user roles, permissions, and access control in the Thena platform
Role-based access control (RBAC) is a foundational security model in the Thena platform that ensures users have appropriate access based on their responsibilities and organizational hierarchy. This system protects sensitive operations while enabling efficient collaboration.
The Thena platform implements a progressive access model with five distinct user roles, each designed for specific use cases and access requirements
User roles and permissions
The Thena platform provides five user roles, each with specific access levels and capabilities. Use the tabs below to explore each role in detail:Organization administrators have comprehensive access to manage their organization’s resources, settings, and members. This is the highest level of access within an organization.
Team management
Team management
- Create and delete teams
- Add and remove team members
- Update team configurations
- Manage routing rules
- Configure team settings
- Set up team hierarchies
System configuration
System configuration
- Manage ticket priorities, statuses, and types
- Configure custom fields and objects
- Set up tags and categories
- Manage forms and templates
- Configure organization settings
- Control workflow automation
User management
User management
- Send organization invitations
- Manage user access and permissions
- Configure notification channels
- Oversee bulk operations
- Control user role assignments
- Manage user onboarding/offboarding
Billing and subscriptions
Billing and subscriptions
- View subscription details
- Create and manage subscriptions
- Access billing portal
- Monitor usage and costs
- Manage payment methods
- Control subscription features
Role comparison matrix
The following table shows which features are available to each role:| Feature | Org admin | Org user | Light user | Customer admin | Customer user |
|---|---|---|---|---|---|
| Ticket Management | |||||
| Create tickets | ✅ | ✅ | ❌ | ❌ | ✅ |
| View all tickets | ✅ | ✅ | ✅ | ❌ | ❌ |
| View assigned tickets | ✅ | ✅ | ✅ | ❌ | ✅ |
| Update ticket status | ✅ | ✅ | ❌ | ❌ | ✅ |
| Assign tickets | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete tickets | ✅ | ❌ | ❌ | ❌ | ❌ |
| Escalate tickets | ✅ | ✅ | ❌ | ❌ | ❌ |
| Account Management | |||||
| Create accounts | ✅ | ✅ | ❌ | ❌ | ❌ |
| View accounts | ✅ | ✅ | ✅ | ❌ | ❌ |
| Update accounts | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage customer contacts | ✅ | ✅ | ❌ | ❌ | ❌ |
| Add account notes | ✅ | ✅ | ❌ | ❌ | ❌ |
| Team Management | |||||
| Create teams | ✅ | ❌ | ❌ | ❌ | ❌ |
| View teams | ✅ | ✅ | ✅ | ❌ | ❌ |
| Add team members | ✅ | ❌ | ❌ | ❌ | ❌ |
| Configure team settings | ✅ | ❌ | ❌ | ❌ | ❌ |
| Manage routing rules | ✅ | ❌ | ❌ | ❌ | ❌ |
| System Configuration | |||||
| Manage ticket types | ✅ | ❌ | ❌ | ❌ | ❌ |
| Configure custom fields | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set up tags | ✅ | ❌ | ❌ | ❌ | ❌ |
| Manage forms | ✅ | ❌ | ❌ | ❌ | ❌ |
| User Management | |||||
| Send invitations | ✅ | ❌ | ❌ | ✅ | ❌ |
| Manage user permissions | ✅ | ❌ | ❌ | ✅ | ❌ |
| Configure notifications | ✅ | ❌ | ❌ | ✅ | ❌ |
| Personal Settings | |||||
| Update profile | ✅ | ✅ | ✅ | ✅ | ✅ |
| Configure preferences | ✅ | ✅ | ✅ | ✅ | ✅ |
| Set availability | ✅ | ✅ | ❌ | ❌ | ❌ |
| Customer Portal | |||||
| Access customer portal | ❌ | ❌ | ❌ | ✅ | ✅ |
| Configure portal settings | ❌ | ❌ | ❌ | ✅ | ❌ |
| Use help center | ❌ | ❌ | ❌ | ✅ | ✅ |
| Billing & Subscriptions | |||||
| View billing | ✅ | ❌ | ❌ | ❌ | ❌ |
| Manage subscriptions | ✅ | ❌ | ❌ | ❌ | ❌ |
| Access billing portal | ✅ | ❌ | ❌ | ❌ | ❌ |
Common access scenarios
Here are typical scenarios for role assignment and user access management:Scenario: A new employee joins your organization and needs access to the platform for daily work.
1
User registration
New employee creates an account or receives an invitation to join the organization
2
Role assignment
Organization admin assigns the org user role, providing complete operational access
3
Team assignment
Admin adds the user to relevant teams, granting team-specific access and permissions
4
Ready to work
User can now manage tickets, accounts, and collaborate with team members effectively
Most new team members should start with the org user role as it provides the right balance of access for daily operations without administrative privileges.