Understanding Roles and Permissions (RBAC)

Role-Based Access Control

BFF uses a 6-tier RBAC system that determines what each user can see and do within the platform. Roles are hierarchical — higher roles have all the permissions of lower roles.

The Role Hierarchy

Role	Scope	What They Can Do
Super Admin	Platform-wide	Manage the entire SaaS platform: partners, billing, feature flags
Partner Admin	Cross-company	Full access across all companies under their partner organization
Company Admin	Single company	Full access within their assigned company
Manager	Company	Manage team members, schedules, approve time-off
Team Lead	Company	Lead a team, manage workflows, view team schedule
Team Member	Company	View own schedule, SOPs, training; request time-off

What Each Role Can Access

Team Member

View their own tasks and schedule
Access SOPs and Work Instructions linked to their tasks
Complete training modules
Submit time-off requests
View notifications

Team Lead

Everything Team Members can do, plus:

View team schedules for their direct reports
Create and manage workflows
View team task assignments

Manager

Everything Team Leads can do, plus:

Invite new team members
Approve/deny time-off requests
Assign tasks and modify schedules
Create SOPs, Work Instructions, and Training
View coverage suggestions

Company Admin

Everything Managers can do, plus:

Full company configuration — settings, branding
Manage all users in the company
View all cascade alerts
Manage AI agents

Partner Admin

Access all companies under their partner
Manage company-level admins
View cross-company analytics

Super Admin

Platform management — partners, billing, feature flags
Impersonation for support

Data Isolation

BFF enforces strict data isolation between companies. A user in Company A can never see data from Company B, regardless of their role — this is enforced at both the application and database levels.

Important: Roles are assigned per-company. A user could be a Manager in one company and a Team Member in another.