Team Roles (RBAC)

Control what your team members can manage with built-in and custom roles.

Team Roles

Cliqer controls what each member of your team can manage through team roles. Roles are part of the Enterprise plan and are managed at Dashboard → Team → Security (/dash/team/security).

Roles govern team management actions - inviting members, editing branding, managing security, API keys and custom domains. They are enforced server-side: every management endpoint checks the acting member's permissions before doing anything, so a permission that isn't granted cannot be used, even via the API.

Permissions

Each role grants any combination of these permissions:

PermissionAllows
Manage membersInvite, remove and re-role team members
Manage brandingEdit the team's whitelabel branding
Manage securitySSO providers, SCIM tokens, SSO enforcement, custom roles
Manage API keysMint and revoke self-service API keys
Manage custom domainsAdd, verify and remove custom domains

Built-in roles

Every team has three built-in roles:

RolePermissions
OwnerAll permissions, always. The owner is also the SSO break-glass account.
AdminManage members, branding and security
MemberNo management permissions (can use the product, not administer the team)

API keys and custom domains are owner-or-custom-role by default - admins do not manage them unless you grant it through a custom role.

Custom roles

When the built-in roles aren't enough, create a custom role with exactly the permissions you want, then assign it to a member. A custom role can never grant more than the owner already has.

  • Create, edit and delete custom roles under Team → Security → Team roles.
  • Assign a custom role to a member; it overrides their built-in role.
  • Delete a custom role and any member using it falls back to their built-in role automatically.

How enforcement works

Team management endpoints resolve the acting member's effective permissions - owner (all), a custom role's explicit list, or the built-in role's defaults - and reject the request if the required permission is missing. This is the same check (security.manage, members.manage, …) used across the dashboard, so what you see in the UI matches what the server allows.

Note: This is about team administration. Cliqer's internal platform-admin controls are separate and not customer-configurable.