Team Roles (RBAC)
Team Roles
Cliqer controls what each member of your team can manage through team roles.
Roles are part of the Enterprise plan and are managed at
Dashboard → Team → Security (/dash/team/security).
Roles govern team management actions - inviting members, editing branding, managing security, API keys and custom domains. They are enforced server-side: every management endpoint checks the acting member's permissions before doing anything, so a permission that isn't granted cannot be used, even via the API.
Permissions
Each role grants any combination of these permissions:
| Permission | Allows |
|---|---|
| Manage members | Invite, remove and re-role team members |
| Manage branding | Edit the team's whitelabel branding |
| Manage security | SSO providers, SCIM tokens, SSO enforcement, custom roles |
| Manage API keys | Mint and revoke self-service API keys |
| Manage custom domains | Add, verify and remove custom domains |
Built-in roles
Every team has three built-in roles:
| Role | Permissions |
|---|---|
| Owner | All permissions, always. The owner is also the SSO break-glass account. |
| Admin | Manage members, branding and security |
| Member | No management permissions (can use the product, not administer the team) |
API keys and custom domains are owner-or-custom-role by default - admins do not manage them unless you grant it through a custom role.
Custom roles
When the built-in roles aren't enough, create a custom role with exactly the permissions you want, then assign it to a member. A custom role can never grant more than the owner already has.
- Create, edit and delete custom roles under Team → Security → Team roles.
- Assign a custom role to a member; it overrides their built-in role.
- Delete a custom role and any member using it falls back to their built-in role automatically.
How enforcement works
Team management endpoints resolve the acting member's effective permissions -
owner (all), a custom role's explicit list, or the built-in role's defaults - and
reject the request if the required permission is missing. This is the same check
(security.manage, members.manage, …) used across the dashboard, so what you
see in the UI matches what the server allows.
Note: This is about team administration. Cliqer's internal platform-admin controls are separate and not customer-configurable.