Version: 0.9.12

Roles and access

platform v0.9.11verified 2026-05-14

Delphi uses a two-level role model: a system-level role on the user and a team-level role per team membership. Together they determine what each page renders and which actions succeed.

System-level roles

Every user has exactly one system role:

Role	Description
SUPERUSER	Full platform access. Bypasses team restrictions. Sees and manages all teams, users, and resources. Has admin-settings access.
USER	Default role. Access is scoped to the teams the user is assigned to.

Team-level roles

Within each team a user has one of three roles. A user can have different roles in different teams.

Role	Description
ADMIN	Full control within the team — settings, members, variables, header manipulation, API keys, base numbers, flow activation.
MEMBER	Creates and modifies apps, providers, agents, scenarios, endpoints; views conversation logs. Cannot manage team settings or members.
VIEWER	Read-only. Cannot create / edit / delete and cannot see conversation logs.

Permission matrix

"Team ADMIN" = SUPERUSER or ADMIN in the current team. "Tech User" = SUPERUSER, MEMBER, or ADMIN.

Permission	SUPERUSER	Team ADMIN	MEMBER	VIEWER
View team resources	Yes	Yes	Yes	Yes
Create / edit apps, providers, agents, scenarios	Yes	Yes	Yes	No
Delete apps, providers, agents, scenarios	Yes	Yes	No	No
Create / edit endpoints	Yes	Yes	Yes	No
Activate / deactivate flows	Yes	Yes	No	No
View conversation logs	Yes	Yes	Yes	No
Manage team members	Yes	Yes	No	No
Manage team settings	Yes	Yes	No	No
Create / edit base numbers	Yes	Yes	No	No
Add extensions to endpoints	Yes	Yes	Yes	No
Create teams	Yes	No	No	No
Delete teams	Yes	No	No	No
Access admin-settings	Yes	Partial (Users tab only)	No	No

Resource-level access control

The backend enforces fine-grained access control per resource. MEMBER+ means MEMBER or ADMIN in the team, or SUPERUSER.

Resource	Create	Read	Update	Delete	List
User	SUPERUSER	Own / SUPERUSER	Own / SUPERUSER	SUPERUSER	SUPERUSER
Team	SUPERUSER	Team member	Team ADMIN	SUPERUSER	Authenticated
Team variables	Team ADMIN	Team member	Team ADMIN	Team ADMIN	Team member
App	Team member	Team member	MEMBER+	Team ADMIN	Filtered by team
Provider	Team member	Team member	MEMBER+	Team ADMIN	Filtered by team
Agent	Team member	Team member	MEMBER+	Team ADMIN	Filtered by team
Scenario	Team member	Team member	MEMBER+	Team ADMIN	Filtered by team
Endpoint	MEMBER+	Team member	MEMBER+	Team ADMIN	Filtered by team
Base number	SUPERUSER	Team member	SUPERUSER	SUPERUSER	Filtered by team
Server group	SUPERUSER	Team member	SUPERUSER	SUPERUSER	Team member
VoIP server	SUPERUSER	Team member	SUPERUSER	SUPERUSER	Team member
Conversation	System	Team member	System	Team ADMIN	Filtered by team

Team membership

A user can belong to multiple teams, each with a different role.
Every user has a default team that is auto-selected on login.
SUPERUSERs see all teams and all resources regardless of membership.
Users cannot change their own team role — another ADMIN or SUPERUSER must do it.

Visibility summary by page

Page	VIEWER	MEMBER	ADMIN	SUPERUSER
Dashboard	Yes	Yes	Yes	Yes
Apps (list, detail)	Read-only	Full	Full	Full
Providers	Read-only	Full	Full	Full
Conversations	Hidden	Yes	Yes	Yes
Settings → Team	Yes	Yes	Yes	Yes
Settings → Users	Hidden	Hidden	Yes	Yes
Settings → Variables	Hidden	Hidden	Yes	Yes
Settings → Header manipulation	Hidden	Hidden	Yes	Yes
Settings → API keys	Hidden	Hidden	Yes (if enabled)	Yes
Admin settings	Hidden	Hidden	Users tab only	Full

System-level roles​

Team-level roles​

Permission matrix​

Resource-level access control​

Team membership​

Visibility summary by page​

See also​