Roles and access
Delphi uses a two-level role model: a system-level role on the user and a team-level role per team membership. Together they determine what each page renders and which actions succeed.
System-level roles
Every user has exactly one system role:
| Role | Description |
|---|---|
| SUPERUSER | Full platform access. Bypasses team restrictions. Sees and manages all teams, users, and resources. Has admin-settings access. |
| USER | Default role. Access is scoped to the teams the user is assigned to. |
Team-level roles
Within each team a user has one of three roles. A user can have different roles in different teams.
| Role | Description |
|---|---|
| ADMIN | Full control within the team — settings, members, variables, header manipulation, API keys, base numbers, flow activation. |
| MEMBER | Creates and modifies apps, providers, agents, scenarios, endpoints; views conversation logs. Cannot manage team settings or members. |
| VIEWER | Read-only. Cannot create / edit / delete and cannot see conversation logs. |
Permission matrix
"Team ADMIN" = SUPERUSER or ADMIN in the current team. "Tech User" = SUPERUSER, MEMBER, or ADMIN.
| Permission | SUPERUSER | Team ADMIN | MEMBER | VIEWER |
|---|---|---|---|---|
| View team resources | Yes | Yes | Yes | Yes |
| Create / edit apps, providers, agents, scenarios | Yes | Yes | Yes | No |
| Delete apps, providers, agents, scenarios | Yes | Yes | No | No |
| Create / edit endpoints | Yes | Yes | Yes | No |
| Activate / deactivate flows | Yes | Yes | No | No |
| View conversation logs | Yes | Yes | Yes | No |
| Manage team members | Yes | Yes | No | No |
| Manage team settings | Yes | Yes | No | No |
| Create / edit base numbers | Yes | Yes | No | No |
| Add extensions to endpoints | Yes | Yes | Yes | No |
| Create teams | Yes | No | No | No |
| Delete teams | Yes | No | No | No |
| Access admin-settings | Yes | Partial (Users tab only) | No | No |
Resource-level access control
The backend enforces fine-grained access control per resource. MEMBER+ means MEMBER or ADMIN in the team, or SUPERUSER.
| Resource | Create | Read | Update | Delete | List |
|---|---|---|---|---|---|
| User | SUPERUSER | Own / SUPERUSER | Own / SUPERUSER | SUPERUSER | SUPERUSER |
| Team | SUPERUSER | Team member | Team ADMIN | SUPERUSER | Authenticated |
| Team variables | Team ADMIN | Team member | Team ADMIN | Team ADMIN | Team member |
| App | Team member | Team member | MEMBER+ | Team ADMIN | Filtered by team |
| Provider | Team member | Team member | MEMBER+ | Team ADMIN | Filtered by team |
| Agent | Team member | Team member | MEMBER+ | Team ADMIN | Filtered by team |
| Scenario | Team member | Team member | MEMBER+ | Team ADMIN | Filtered by team |
| Endpoint | MEMBER+ | Team member | MEMBER+ | Team ADMIN | Filtered by team |
| Base number | SUPERUSER | Team member | SUPERUSER | SUPERUSER | Filtered by team |
| Server group | SUPERUSER | Team member | SUPERUSER | SUPERUSER | Team member |
| VoIP server | SUPERUSER | Team member | SUPERUSER | SUPERUSER | Team member |
| Conversation | System | Team member | System | Team ADMIN | Filtered by team |
Team membership
- A user can belong to multiple teams, each with a different role.
- Every user has a default team that is auto-selected on login.
- SUPERUSERs see all teams and all resources regardless of membership.
- Users cannot change their own team role — another ADMIN or SUPERUSER must do it.
Security controls
Deployments can enforce password expiry, concurrent-session limits, and login lockout rules for all roles. SUPERUSER accounts are held to the strongest password policy, including the longer minimum password length introduced in v0.9.13.
SUPERUSERs can also review platform-wide authentication and role-management events from Access logs.
Visibility summary by page
| Page | VIEWER | MEMBER | ADMIN | SUPERUSER |
|---|---|---|---|---|
| Dashboard | Yes | Yes | Yes | Yes |
| Apps (list, detail) | Read-only | Full | Full | Full |
| Providers | Read-only | Full | Full | Full |
| Conversations | Hidden | Yes | Yes | Yes |
| Settings → Team | Yes | Yes | Yes | Yes |
| Settings → Users | Hidden | Hidden | Yes | Yes |
| Settings → Variables | Hidden | Hidden | Yes | Yes |
| Settings → Header manipulation | Hidden | Hidden | Yes | Yes |
| Settings → API keys | Hidden | Hidden | Yes (if enabled) | Yes |
| Admin settings | Hidden | Hidden | Users tab only | Full |
See also
- For team admins — manage team members and roles.
- For platform admins — platform-wide administration.