Information

Answer

A role is a set of permissions assigned to a user. Roles control access to features, define responsibilities, help ensure security and proper delegation. Each Tango user is assigned a role that defines what they can see and do.

The roles are created and managed only by users who have:

Entire organization access
Manage roles permissions

These users can assign roles at the organization level or lower. See Add, edit, delete users.

Role types

Tango uses three main role types to control what people can do in the platform:

Role Type

Definition

Platform admin

You can have multiple platform admins. Platform admins:

have Entire organization access.
have full permissions within the platform.
can create more platform admins.
can create local admins for specific purposes.

Default roles

Default roles are predefined roles provided by Tango. Default roles:

include a standard set of permissions (for example, Admin, Sender, etc.).
cannot be modified.
are useful to quickly assign common responsibilities without configuring permissions manually.

See Manage default user roles in Tango.

Custom roles

Custom roles are created to match your organization’s specific needs. Custom roles:

are created by users with Entire organization access and Manage roles permissions.
Are fully configurable (you choose permissions and access levels).
Are helpful when default roles don’t align with your internal structure, workflows, or responsibilities.

See Manage custom user roles in Tango.

Access level

Access level defines the scope of a user’s visibility and controls the groups or accounts the user can apply their permissions:

Access Level	Definition
Entire organization	User can apply their permissions across all current and future groups and accounts.
Select accounts (and groups)	User can apply their permissions only in specific groups/accounts you select.

Examples

A platform admin with Entire organization access and Manage users permissions can add, edit, and remove users and their access across the entire organization.
Any admin with Selected groups/accounts and Manage users permissions can only manage users in their own groups/accounts.
A user with only Place order permission can send rewards, but cannot access accounting groups or manage funds.

Note:

A user's access level dictates their ability to use certain features, regardless of their assigned permissions.
The Order history permission overrides Orders placed by themselves and Orders placed by others. If the Orders placed by themselves is set to View only, but the Order History is turned on, the user is still able to see and resend reward emails for the rewards that have been sent by this user and others.

Default roles and definitions

Default roles in Tango are preconfigured permission sets you can assign quickly without creating custom roles. Each default role controls what users can do with orders, templates, platform settings, etc.

Note:

A platform requires at least one organization admin.
Default roles themselves cannot be edited, renamed, or deleted. To change permissions, duplicate a default role to create a custom role and then modify it. See Manage custom user roles in Tango.

Role Type	Definition
Admin	There are two types of admins: Organization-wide admins: have access to all features on the platform. They can manage all users, roles, settings, groups and accounts, send rewards, view and manage orders, etc. Limited-access admins: can access and manage within their assigned groups or accounts. They won't be able to manage users, groups, or accounts outside their designated group, account, or access level. They cannot access platform settings such as API keys. Note: Admins do not have access to Tango API Keys by default. The API keys must be enabled for your platform before Admins can use Tango API. Contact your Customer Success Manager (CSM) or email success@tangocard.com to have API keys enabled.
Sender	Senders can place orders (send rewards) and view only their own order history. They cannot see account balances unless granted additional permissions. When viewing Orders, senders can resend reward emails to the original recipient email only. To resend rewards others have sent, consider the Standard role or a custom one.
Standard	Standard users can place orders and view account balances within their access level. When viewing Orders, Standard users can resend reward emails either to the original recipient email or to a different email for the same recipient. Standard users can also manage Groups & accounts within their access level, and see delivery templates.
Support	Support users can only view Orders and Reward templates within their access level. They cannot place orders or manage accounts. When viewing Orders, Support users can resend reward emails to the original recipient email only.
Support Lead	Support leads can only view Orders and Reward templates within their access level. They cannot place orders or manage accounts. When viewing Orders, Support leads can resend reward emails to the original recipient email or to a different email for the same recipient.
Technical	Technical users focus on configuring and maintaining integrations and API credentials rather than placing orders or managing the platform. Typically, Technical users have Entire organization access so they can configure organization‑wide integrations.

Access and permission rules

Keep these rules in mind when assigning roles, permissions, and access levels:

Access level sets the scope:
A user’s access level (Entire organization or Select accounts and groups) defines where they can use their permissions.
Entire organization is the broadest scope.
Users with Entire organization access can apply their permissions across all current and future groups and accounts.
Select accounts and groups is limited scope.
Users with Select accounts and groups access can only see and act within the specific accounts (and their groups) that you select for them.
Permissions do not override access level.
Even if a user has powerful permissions (for example, Manage users, Accounts, Order history), they cannot view or manage anything outside the accounts and groups in their access level.
Manage roles requires Entire organization.
The Manage roles permission is only effective for users with Entire organization access. Users with Select accounts and groups cannot see or change role configurations, even if they have Manage roles turned on.
Lower-scope users cannot manage higher-scope users.
Users who only have Select accounts and groups access cannot change the roles, permissions, or access levels of users who have Entire organization access.
Separate scopes stay separate.
If two users each have Manage users for different sets of Select accounts and groups, they may not see each other in the Users list, and they cannot manage each other’s accounts or users.

Available permissions in Tango

Permissions in Tango define what users can see and do across the platform (placing orders, managing accounts, viewing reports, or configuring integrations). Each user’s permissions are determined by both their role and their access level (Entire organization vs. Select accounts and groups). That means two users with the same role may still have different visibility and control.

Use these permissions to grant only the access a user needs:

Permission	Description
Place order	Allows users to place orders from the accounts and groups they have access to. Users may see account balances unless balances are explicitly hidden with Hide account balance from user.
Order history	Allows users to view and, when enabled, manage orders sent through Tango. When Order history is on, you can further control: Orders placed by themselves: With View permission, you can see your own orders and resend rewards only to the original email address. With Manage permission, you can edit and resend rewards, including resending to a different email address. Orders placed by others: With View permission, you can see orders placed by other users (within your access level) and resend rewards only to the original email address. With Manage permission, you can edit and resend rewards for others’ orders (within your access level), including resending to a different email address. Management settings applies only to orders you can manage: Freeze reward: Freeze and unfreeze a fully unredeemed Reward Link up to a maximum of 5 calendar days after the reward is issued. See Freeze and unfreeze rewards. Cancel reward: Self-cancel a reward within 5 days after issuing. See Cancel and reissue rewards. Cancel and reissue reward: Self-cancel and reissue a reward within 5 days after issuing. See Cancel and reissue rewards. Reissue expired Promo Link reward: Lets users reissue expired promo links to the original recipient.
Funding & payments	Controls access to payment options: View: users can see and use existing payment options. Manage: users can set up new payment arrangements.
Delivery templates	Controls access to reward delivery templates. View: users can see and use existing templates (for example, when placing orders). Manage: users can create and configure templates.
Accounts	Controls whether a user can see and/or manage the groups and accounts they have access to in Tango. View: users can see account and group details (such as account names and balances, unless balance is hidden) but cannot change settings. Manage: users can create new accounts (requires Org Access) and update certain account settings, but cannot edit account names or account groups in the portal.
Manage users	Controls whether a user can view and administer users in Tango. Users with Entire organization access and Manage users permission can add, edit, and delete users. Users without Entire organization access may be able to view but cannot add or modify users even if Manage users are enabled for them.
Manage roles	Controls whether a user can view and administer roles and permissions in Tango. Users with Entire organization access and Manage roles permission can create, duplicate, edit, rename, and delete custom roles, and assign roles to users. Users without Entire organization access cannot view or modify role configurations, even if Manage roles is enabled for them.
Reports	Allows users to view, generate, and download reports based on their access level. View: users can see available reports for the groups/accounts they have access to. Manage: users can configure report settings (where available) and schedule or export reports within their access level.
Platform settings	Controls access to Tango’s organization‑level platform configuration. This includes settings for Login methods, SSO connections, MFA methods, and Delivery methods.
Tango API	Allows users with Entire organization access to view, generate, and manage API credentials (if API keys are enabled for your platform). Users can see existing keys and their details and, where allowed, create new keys, rotate or deactivate keys, and update key settings, within the limits defined for your organization.
Qualtrics API	Controls whether a user can view and manage Qualtrics API keys. View: users can see existing Qualtrics API keys and their details. Manage: users can generate new Qualtrics API keys and deactivate existing keys, in addition to viewing them.
Qualtrics incentives	Controls whether a user can view and manage Qualtrics incentives configurations and usage. View: users can see Qualtrics incentive settings, mappings, and incentive activity tied to their access level. Manage: users can create new Qualtrics incentives and update configurations, adjust mappings or settings, and manage incentive usage within the limits of their access level.
Hide account balance from user	Hides account balances from the user, even if other permissions (such as Place orders or Accounts) would normally display them. This applies to all accounts the user can access.

More resources:

Title	Roles and permissions in Tango

URL Name	About-roles-in-Tango