Skip to main content
Version: 0.9.14

Roles and access

Delphi uses a two-level role model: a system-level role on the user and a team-level role per team membership. Together they determine what each page renders and which actions succeed.

System-level roles

Every user has exactly one system role:

RoleDescription
SUPERUSERFull platform access. Bypasses team restrictions. Sees and manages all teams, users, and resources. Has admin-settings access.
USERDefault role. Access is scoped to the teams the user is assigned to.

Team-level roles

Within each team a user has one of three roles. A user can have different roles in different teams.

RoleDescription
ADMINFull control within the team — settings, members, variables, header manipulation, API keys, base numbers, flow activation.
MEMBERCreates and modifies apps, providers, agents, scenarios, endpoints; views conversation logs. Cannot manage team settings or members.
VIEWERRead-only. Cannot create / edit / delete and cannot see conversation logs.

Permission matrix

"Team ADMIN" = SUPERUSER or ADMIN in the current team. "Tech User" = SUPERUSER, MEMBER, or ADMIN.

PermissionSUPERUSERTeam ADMINMEMBERVIEWER
View team resourcesYesYesYesYes
Create / edit apps, providers, agents, scenariosYesYesYesNo
Delete apps, providers, agents, scenariosYesYesNoNo
Create / edit endpointsYesYesYesNo
Activate / deactivate flowsYesYesNoNo
View conversation logsYesYesYesNo
Manage team membersYesYesNoNo
Manage team settingsYesYesNoNo
Create / edit base numbersYesYesNoNo
Add extensions to endpointsYesYesYesNo
Create teamsYesNoNoNo
Delete teamsYesNoNoNo
Access admin-settingsYesPartial (Users tab only)NoNo

Resource-level access control

The backend enforces fine-grained access control per resource. MEMBER+ means MEMBER or ADMIN in the team, or SUPERUSER.

ResourceCreateReadUpdateDeleteList
UserSUPERUSEROwn / SUPERUSEROwn / SUPERUSERSUPERUSERSUPERUSER
TeamSUPERUSERTeam memberTeam ADMINSUPERUSERAuthenticated
Team variablesTeam ADMINTeam memberTeam ADMINTeam ADMINTeam member
AppTeam memberTeam memberMEMBER+Team ADMINFiltered by team
ProviderTeam memberTeam memberMEMBER+Team ADMINFiltered by team
AgentTeam memberTeam memberMEMBER+Team ADMINFiltered by team
ScenarioTeam memberTeam memberMEMBER+Team ADMINFiltered by team
EndpointMEMBER+Team memberMEMBER+Team ADMINFiltered by team
Base numberSUPERUSERTeam memberSUPERUSERSUPERUSERFiltered by team
Server groupSUPERUSERTeam memberSUPERUSERSUPERUSERTeam member
VoIP serverSUPERUSERTeam memberSUPERUSERSUPERUSERTeam member
ConversationSystemTeam memberSystemTeam ADMINFiltered by team

Team membership

  • A user can belong to multiple teams, each with a different role.
  • Every user has a default team that is auto-selected on login.
  • SUPERUSERs see all teams and all resources regardless of membership.
  • Users cannot change their own team role — another ADMIN or SUPERUSER must do it.

Security controls

Deployments can enforce password expiry, concurrent-session limits, and login lockout rules for all roles. SUPERUSER accounts are held to the strongest password policy, including the longer minimum password length introduced in v0.9.13.

SUPERUSERs can also review platform-wide authentication and role-management events from Access logs.

Visibility summary by page

PageVIEWERMEMBERADMINSUPERUSER
DashboardYesYesYesYes
Apps (list, detail)Read-onlyFullFullFull
ProvidersRead-onlyFullFullFull
ConversationsHiddenYesYesYes
Settings → TeamYesYesYesYes
Settings → UsersHiddenHiddenYesYes
Settings → VariablesHiddenHiddenYesYes
Settings → Header manipulationHiddenHiddenYesYes
Settings → API keysHiddenHiddenYes (if enabled)Yes
Admin settingsHiddenHiddenUsers tab onlyFull

See also