Roles, teams & permissions
The RBAC model — seven system roles, module permissions, data scope and teams.
d0pe ships a full role-based access model so you can bring on staff, buyers and external partners without any of them seeing more than they should. A fresh install seeds seven system roles; you can retune every one of them live, or clone them into your own.
The seven system roles
- Owner — full, unconditional access. The account created at install.
- Affiliate manager — flows, routes, caps, partners and campaigns; sees traffic analytics.
- Integrations manager — builds integrations and directories, with PII (phone/email/name) masked and no analytics.
- Team lead — manages their own team's buyers and flows; sees team analytics only.
- Buyer — isolated access to their own traffic, flows and analytics.
- Traffic provider — self-service view of its own leads and performance; the end brand is hidden (Blind Routing).
- Partner — external advertiser; sees only leads sent to its integration and its own campaigns; sources hidden (Blind Routing).
What a role controls
- Module permissions — per module (leads, flows, campaigns, partners, providers, integrations, ledger, analytics, mask, domains, users, settings, audit) which actions are allowed: view, create, edit, delete, export.
- Data scope — how much a role sees: all, own team, or only its own records.
- Field privacy — sensitive fields (phone, email, name) can be raw, masked, or hidden per role.
- Action restrictions — gate risky operations like manual lead injection, changing a lead id, force-approve, or export.
Teams
Teams form a tree. A team's lead is simply the user with the team_lead role on that team, so a team lead's team-scope automatically covers their buyers. Combined with data scope, this keeps each buying team's traffic and numbers walled off from the others.
Least privilege by default: staff, buyers and partners each get exactly one honest view.