A role is a set of permissions assigned to a user that determines their capabilities within the platform. Roles are used to control access to features, define responsibilities, and ensure security and proper delegation. Each Tango user is assigned a role that dictates their level of access and capabilities within the platform. The roles are created and managed by any user that has Organization Access and Roles management permissions. Tango platform admins can assign roles at the organization level or Lower. See Add, edit, delete users.
Tango admins and roles
-
Platform admin: is created at the time of Tango platform creation. The platform admin has “Organization Access” and full permissions within the platform. The Tango platform admin can create multiple platform admins or local admins for different roles and purposes. You can have multiple platform admins.
-
Default roles: Default roles are predefined set of roles and permissions provided by Tango. They are designed to address common use cases such as user admin and reward sender, and cannot be modified. Default roles are ideal for quickly assigning standard responsibilities without the need to manually configure permissions. See Default user roles in Tango (coming soon) (pending Authenticated BHC, support self serve).
-
Custom roles: Custom roles are created by platform admins or any custom user that has “Organization Access” and “Roles” management permissions in order to meet specific organizational needs. They are fully configurable and offer the flexibility to define specific sets of permissions and access levels tailored to your business and organizational needs. They are useful when default roles don’t align with your internal structure and can be tailored to match unique workflows or responsibilities. See Create and edit custom roles.
Permissions and access level
Permissions determine the actions a user is allowed to perform and are typically tied to roles. Access level defines the scope of a user’s visibility and controls the groups or accounts the user can apply their permissions. Access Level includes two level: “Organization Access” and “Select groups/accounts”.
For example, Tango platform administrators with organization access and “Users” management permissions, have the authority to set or modify user permissions and access levels at the organizational level, whereas local user admin can set or modify user permissions at their own level or below. In another example, a user who only has “Send rewards” permission, doesn’t have access to the accounting group or cannot manage funds. See Configure user permissions and access level.
Access rules
Consider the following rules when planning permissions and access levels:
-
Admins can define the extent of a user's access to the organization.
-
Organization Access grants entry to all groups and accounts, including those created in the future.
-
Specific Access restricts access to designated groups and accounts only.
-
Even if a user has the appropriate permissions, Specific Access will prevent them from managing users or accounts outside their assigned scope.
-
Users within selected groups and accounts cannot modify the permissions or access levels of users with higher access privileges.
-
Users with "Users manage" permissions in two different selected groups or accounts cannot view each other on the users list.
More resources:
