User Roles & Permissions
User Roles and Permissions
AutomateNexus CRM uses a comprehensive Role-Based Access Control (RBAC) system to govern what each user can see and do within the platform. This system ensures that sensitive data and administrative functions are only accessible to authorized personnel while giving everyday users the tools they need to be productive. This guide covers the complete permission matrix, role definitions, organization hierarchy, user management workflows, and troubleshooting access issues.
Understanding RBAC in AutomateNexus
Role-Based Access Control is a security model where permissions are assigned to roles rather than individual users. Each user is assigned one role, and that role determines their level of access across all platform features. This approach simplifies permission management because administrators only need to manage a small number of roles rather than configuring permissions for each individual user.
AutomateNexus CRM implements three primary roles:
- Super Admin - The highest level of access spanning across all organizations on the platform. Super Admins can manage billing platform-wide settings organization hierarchy and all administrative functions. This role is typically reserved for platform owners or top-level IT administrators.
- Org Admin (Organization Administrator) - Full access within a specific organization. Org Admins can manage users configure settings create workspaces and access all operational features within their organization. They cannot access other organizations or platform-level settings unless granted cross-org access.
- Standard User - Access to day-to-day operational features including customers deals projects tasks communications and documents. Standard Users cannot modify organization settings manage other users or access administrative functions.
Complete Permission Matrix
The following table provides a detailed breakdown of permissions across all major platform features for each role. A checkmark indicates the role has access to that capability.
| Feature / Capability | Super Admin | Org Admin | Standard User |
|---|---|---|---|
| View Dashboard | Yes | Yes | Yes |
| View Customers | Yes | Yes | Yes |
| Create/Edit Customers | Yes | Yes | Yes |
| Delete Customers | Yes | Yes | No |
| View Contacts | Yes | Yes | Yes |
| Create/Edit Contacts | Yes | Yes | Yes |
| View Deals | Yes | Yes | Yes |
| Create/Edit Deals | Yes | Yes | Yes |
| Delete Deals | Yes | Yes | No |
| View Projects | Yes | Yes | Yes |
| Create/Edit Projects | Yes | Yes | Yes |
| View Tasks | Yes | Yes | Yes |
| Create/Edit Tasks | Yes | Yes | Yes |
| View Activities | Yes | Yes | Yes |
| Log Activities | Yes | Yes | Yes |
| View Reports and Analytics | Yes | Yes | Yes |
| Create Custom Reports | Yes | Yes | No |
| Access AI Reports | Yes | Yes | Yes |
| View Invoices | Yes | Yes | Yes |
| Create/Edit Invoices | Yes | Yes | No |
| Access Accounting | Yes | Yes | No |
| View Revenue | Yes | Yes | No |
| Manage Payroll | Yes | Yes | No |
| Access Email | Yes | Yes | Yes |
| Access Chat | Yes | Yes | Yes |
| Access Schedule/Calendar | Yes | Yes | Yes |
| Manage Booking System | Yes | Yes | Yes |
| View Documents | Yes | Yes | Yes |
| Upload Documents | Yes | Yes | Yes |
| Create/Edit Forms | Yes | Yes | No |
| Access Products | Yes | Yes | Yes |
| Manage Integrations | Yes | Yes | No |
| Access Data Warehouse | Yes | Yes | No |
| Access ML Models | Yes | Yes | No |
| Create Automation Workflows | Yes | Yes | No |
| Access Advanced Dashboards | Yes | Yes | Yes (view only) |
| Manage Website Builder | Yes | Yes | No |
| View Client Portal | Yes | Yes | Yes |
| Configure Portal Management | Yes | Yes | No |
| Access Support Center | Yes | Yes | Yes |
| Manage Support Tickets | Yes | Yes | Yes (own only) |
| Invite Users | Yes | Yes | No |
| Manage User Roles | Yes | Yes | No |
| Deactivate/Remove Users | Yes | Yes | No |
| Manage Employees | Yes | Yes | No |
| View Organizations | Yes | Yes | No |
| Edit Organization Settings | Yes | Yes | No |
| Manage Organization Hierarchy | Yes | No | No |
| Cross-Organization Access | Yes | Master/Parent only | No |
| Hierarchical Analytics | Yes | Master/Parent only | No |
| Create Workspaces | Yes | Yes | No |
| Manage Custom Fields | Yes | Yes | No |
| Configure Approvals | Yes | Yes | No |
| Access Billing/Plans | Yes | Yes | No |
| Modify Settings (Profile) | Yes | Yes | Yes (own only) |
| Modify Settings (Organization) | Yes | Yes | No |
| Modify Settings (Appearance) | Yes | Yes | Yes (own only) |
| Modify Settings (Language) | Yes | Yes | Yes (own only) |
| Modify Settings (Notifications) | Yes | Yes | Yes (own only) |
RBAC Business Scenarios
To illustrate how RBAC works in practice here are three common business scenarios:
Scenario 1: Sales Team Setup
A company has a sales director and five sales representatives. The sales director needs to manage the team view all deals configure pipeline stages and generate reports. The sales reps need to create and manage their own deals log activities and communicate with customers but should not be able to delete records or change pipeline settings.
Configuration: Assign the sales director as an Org Admin. This gives them full access to manage the sales pipeline configure stages invite new team members and generate reports. Assign each sales representative as a Standard User. They can create customers create deals log activities use email and chat and access the schedule but cannot delete records change settings or manage other users.
Scenario 2: Multi-Department Enterprise
A mid-size company has separate sales marketing and support departments. Each department needs its own data space but the VP of Operations needs to see everything. Marketing should not be able to modify sales deals and support should only see their assigned tickets.
Configuration: Create three workspaces (Sales Marketing Support). Assign the VP as an Org Admin with access to all workspaces. Assign department heads as Org Admins within their respective workspaces. Assign team members as Standard Users within their department workspace. Workspace isolation ensures each department only sees their own data while Org Admins can switch between workspaces to view cross-department information.
Scenario 3: Agency Managing Client Organizations
A digital agency manages CRM operations for multiple client companies. The agency needs centralized oversight while each client organization should be independent and unable to see other clients data.
Configuration: Set up the agency as a master organization type. Create child organizations for each client. The agency owner is a Super Admin with cross-organization access. Client contacts are Org Admins within their own organization. Agency account managers are added as Cross-Org Users with access to specific client organizations. The hierarchical analytics feature accessible from Organization and Users lets the agency view consolidated reporting across all client organizations.
Step-by-Step User Invitation Flow
Inviting new users to your organization follows a specific workflow. Only Super Admins and Org Admins can invite users.
- Navigate to Organization and Users > Users in the sidebar.
- Click the Members tab to view the current team member list.
- Click the Invite User button in the top-right area.
- Enter the new user email address in the invitation form.
- Select the role to assign: Super Admin Org Admin or Standard User.
- Optionally select which workspaces the user should have access to.
- Click Send Invitation to dispatch the invitation email.
- The system generates a unique invitation token and sends an email to the recipient.
- The invited user clicks the link in the email which takes them to the invitation acceptance page.
- If the user already has an AutomateNexus account they can link it. If not they create a new account during acceptance.
- Once accepted the user appears in your Members list with their assigned role and workspace access.
Invitation tracking is built into the platform. Administrators can see when an invitation was sent whether it has been viewed (tracked via IP and user agent) and whether it has been accepted.
Organization Hierarchy
AutomateNexus CRM supports a hierarchical organization structure that enables enterprise-scale deployments with centralized management. The hierarchy consists of the following organization types:
Master Organization
The master organization sits at the top of the hierarchy. It has full visibility into all child and grandchild organizations. Super Admins in a master organization can access cross-organization user management hierarchical analytics consolidated reporting and organization relationship configuration. Only one master organization exists per platform deployment.
Parent Organization
A parent organization manages one or more child organizations. Parent Org Admins can see the Cross-Organization tab on the Users page and can manage users across their child organizations. Parent organizations are useful for regional headquarters that oversee local offices.
Child Organization (Sub-Org)
Child organizations operate independently with their own users workspaces customers deals and data. They are linked to a parent or master organization through the Organization Relationships manager accessible from the Organizations page. Users within a child organization cannot see data from the parent or sibling organizations unless explicitly granted cross-org access.
Managing Organization Relationships
To configure the hierarchy navigate to Organization and Users > Organizations and click the Organization Relationships tab (visible only for master/parent org types). From here you can:
- Link a child organization to a parent
- View the full organization tree
- Manage cross-org user assignments
- Access hierarchical analytics across the organization tree
Approval Workflow Configuration
AutomateNexus CRM includes an approval workflow system that requires designated approvers to sign off on certain actions before they take effect. Approvals are configured from Settings > Approvals and managed through the Approval Dashboard component.
Common approval scenarios include:
- Deal discounts - Require manager approval when a discount exceeds a configured threshold percentage.
- Large invoices - Route invoices above a certain value to a finance manager for approval before sending.
- User role changes - Require Super Admin approval when promoting a user to Org Admin.
- Custom object modifications - Protect critical data by requiring approval for changes to specific custom object records.
The approval dashboard shows all pending requests with the requester action type timestamp and current status. Approvers can approve or reject requests with optional comments.
Managing Cross-Organization Users
Cross-organization user management is available for master and parent organization types. Navigate to Organization and Users > Users and click the Cross-Organization tab. This feature allows you to:
- Assign users to multiple organizations - A single user account can have access to several organizations within the hierarchy. This is useful for agency account managers or regional supervisors who need to work across multiple client or branch organizations.
- View cross-org user roster - See all users who have access to organizations within your hierarchy along with their roles in each organization.
- Manage cross-org permissions - Control what level of access a cross-org user has in each organization they belong to.
Deactivating and Removing Users
When a team member leaves the organization or needs to have their access revoked Org Admins and Super Admins can manage their account status:
Deactivating a User
- Navigate to Organization and Users > Users.
- Find the user in the Members list.
- Click the user row to open their profile.
- Toggle the active status to deactivate the account.
- A deactivated user cannot log in but their data including activity history deal ownership and created records is preserved.
Removing a User
- From the Members list locate the user you want to remove.
- Click the remove or delete action (available only to Org Admins and Super Admins).
- Confirm the removal. The user is unlinked from the organization.
- Records previously owned by the removed user can be reassigned to another team member.
Important: Removing a user from an organization does not delete their platform account. They can still be re-invited or may belong to other organizations.
Audit Trail for Permission Changes
All permission-related actions are logged in the platform activity system providing a complete audit trail. The following events are tracked:
- User invited - Logs who sent the invitation the target email and the assigned role.
- Invitation accepted - Records when a user accepted an invitation including their IP address and user agent.
- Role changed - Logs the previous role new role the user affected and the administrator who made the change.
- User deactivated - Records when a user was deactivated and by whom.
- User removed - Logs when a user was removed from an organization.
- Workspace access changed - Records when a user was added to or removed from a workspace.
- Cross-org access granted - Logs when a user was given access to an additional organization.
These audit entries are visible in the Activity Timeline on the Dashboard and can be filtered in the Reports section for compliance and security reviews.
Troubleshooting Access Issues
If users report problems accessing features or data here are the most common causes and solutions:
| Issue | Likely Cause | Solution |
|---|---|---|
| User cannot see certain sidebar items | Insufficient role permissions | Check the user role in Settings > Profile. Upgrade to Org Admin if they need administrative access. |
| User sees no data on Dashboard | Not assigned to any workspace | Assign the user to at least one workspace from Organization and Users > Users. |
| User cannot invite team members | Standard User role | Only Org Admins and Super Admins can invite users. Promote the user if appropriate. |
| User cannot access billing | Standard User role | Billing access requires Org Admin or Super Admin role. |
| Cross-org tab not visible | Organization is not master/parent type | Cross-org management is only available for master and parent organization types. |
| User cannot delete records | Standard User role | Delete permissions for customers and deals require Org Admin or higher. |
| User cannot configure integrations | Standard User role | Integration management requires Org Admin access. |
| User cannot create automation workflows | Standard User role | Workflow creation requires Org Admin or Super Admin. Standard Users can trigger existing workflows. |
| Approval requests stuck in pending | Approver has not reviewed | Check the Approvals dashboard in Settings. Notify the designated approver. |
| User cannot access organization settings | Standard User role | Organization settings are restricted to Org Admin and Super Admin roles. |
Best Practices for Permission Management
- Follow the principle of least privilege - Assign the minimum role needed for each user to perform their job. Start with Standard User and promote only when necessary.
- Use workspaces for data isolation - Instead of creating complex permission rules use workspaces to naturally segment data access by team or department.
- Review user roles quarterly - Periodically audit user roles to ensure they still match job responsibilities. Remove or demote access for users who have changed roles.
- Use approval workflows for sensitive actions - Configure approval requirements for high-impact actions like large discounts or role changes to add a layer of oversight.
- Document your RBAC policy - Maintain an internal document that defines which roles are appropriate for which job titles in your organization.
- Monitor the audit trail - Regularly review permission change logs to detect unauthorized or accidental changes.
Related Articles
- Welcome to AutomateNexus CRM - Platform overview including the complete sidebar navigation reference for all features.
- Setting Up Your Account - Step-by-step onboarding including team invitation and profile configuration.
- Dashboard Overview - Understand how role-based access affects which dashboard widgets and data you can see.