CallMineAI Docs
Home
  • Introduction
  • Architecture
  • Installation
  • Web installer
  • Configuration
  • Deployment
  • Customer panel
  • Admin panel
  • Agents & Voices
  • Campaigns & Calls
  • Billing & Credits
  • Telephony (Twilio)
  • Voice & AI
  • SIP trunks
  • Messaging
  • REST API
Home
  • Introduction
  • Architecture
  • Installation
  • Web installer
  • Configuration
  • Deployment
  • Customer panel
  • Admin panel
  • Agents & Voices
  • Campaigns & Calls
  • Billing & Credits
  • Telephony (Twilio)
  • Voice & AI
  • SIP trunks
  • Messaging
  • REST API
  • Getting started

    • Introduction
    • Architecture
    • Installation
    • Web installer
    • Configuration
    • Deployment
  • Using CallMineAI

    • Customer Guide
    • Agents & Voices
    • Campaigns & Calls
    • Billing & Credits
  • Administration

    • Admin Guide
    • Roles & permissions
    • Localization
  • Integrations

    • Telephony (Twilio)
    • Voice & AI
    • SIP trunks
    • Messaging
    • REST API
  • Help

    • FAQ & troubleshooting

Roles & permissions

CallMineAI has two independent RBAC systems, one per panel. They do not share roles, permissions, or user tables — an admin permission has no meaning inside a customer workspace and vice versa. See Architecture for how the two panels and guards are separated.

SystemWho it governsModelMiddlewareManaged at
Admin RBACPlatform operatorsAdminUser + admin roles/permissionspermission:/admin/roles-permissions
Team RBAC (add-on)A customer's own team membersUser + client_roles/client_permissionsclient.permission:/app/team

Admin RBAC (Super Admin panel)

Admin — roles & permissions

Admin roles, each mapped to a set of granular permissions.

Admin users authenticate on the admin guard and are authorized by the RequirePermission middleware, applied to routes as permission:<key>. The middleware:

  • rejects unauthenticated requests (redirect to /admin/login, or 401 for JSON),
  • logs out and blocks inactive admin accounts,
  • grants access if the admin holds any of the listed permission keys, else redirects with Access denied.

Permission keys are coarse verb_resource strings, for example:

view_clients      create_clients     update_clients     delete_clients
view_plans        create_plans       update_plans       delete_plans
view_settings     manage_settings
view_languages    manage_languages   view_currencies    manage_currencies
view_admin_roles  manage_admin_roles view_admins        create_admins ...

A single route can require one of several keys, e.g. the roles page uses permission:view_admin_roles,manage_admin_roles. The Super Admin role is granted every permission and is used to manage all other roles and admins.

Where admin permissions are enforced

Every entry in routes/admin.php carries an explicit ->middleware('permission:...'). To lock down a new admin screen, add the route under the appropriate key and grant that key to the roles that should see it at /admin/roles-permissions.

Team RBAC (per-customer, add-on)

Team RBAC lets a customer sub-divide access among their own team members. It is a plan-gated add-on: a plan exposes team_seats_limit (how many members) and custom_roles_enabled (whether the customer may create roles beyond the four built-in system roles).

Authorization is enforced by the RequireClientPermission middleware, applied as client.permission:<module>.<action>. It calls $user->canDo($permission) and returns 403 (or a JSON 403) when the member lacks the permission.

Permission catalog

Permissions are module.action keys generated by App\Services\Team\ClientRbac. The modules and their actions:

ModuleActions
dashboardread
campaignsread, create, update, delete
agentsread, create, update, delete
voicesread
contactsread, create, update, delete
callsread
numbersread, create, delete
knowledgeread, create, delete
integrationsread, manage
messagingread, manage
analyticsread
billingread, manage
teamread, manage
settingsread, manage
apiread, manage

Examples of route gating in routes/client.php:

GET  /app/billing        client.permission:billing.read
POST /app/billing/credits client.permission:billing.manage
GET  /app/team           client.permission:team.read
POST /app/team           client.permission:team.manage

System roles

Four system roles are created for every customer (idempotently, via ClientRbac::ensureSystemRoles). Their names are locked; with custom_roles_enabled, a customer can add extra custom roles on top.

RoleKeyGrants
OwnerownerAll permissions in the catalog.
AdminadminAll permissions in the catalog (same as Owner).
ManagermanagerEverything except all billing.*, team.manage, settings.manage, and all api.*.
ViewerviewerRead-only — every *.read permission and nothing else.

Manager vs Owner/Admin

A Manager runs the day-to-day calling operation (campaigns, agents, contacts, calls, messaging) but cannot touch billing, manage teammates, change workspace settings, or manage API keys.

Legacy administrator role

For backward compatibility, a member whose client_role is the legacy value administrator — or who has no assigned Team role at all — resolves to full access (['*']) via User::clientPermissionKeys(). This keeps pre-RBAC customers working: existing owners retain full control until roles are explicitly assigned. Once you assign a real system/custom role to a member, their permissions narrow to that role's grant.

Don't rely on the legacy fallback

The empty-role → full-access fallback exists only for migration safety. For proper least-privilege, assign each member one of the four system roles (or a custom role) at /app/team.

Last Updated: 7/9/26, 8:56 AM
Prev
Admin Guide
Next
Localization