User management
Roles & Permissions
Role hierarchy and what each role can do
GNETiX uses a hierarchical role system. Each user is assigned exactly one role, and roles determine what actions the user can perform in the portal and API.
Role Hierarchy
| Role | Level | Description |
|---|---|---|
user | 1 | Chat-only access. Can send messages through connected platforms and view their own profile. Cannot access the admin portal. |
org_admin | 2 | Full admin for their own organization. Can manage users, agents, MCP servers, integrations, and org settings. |
msp_admin | 3 | Everything an org_admin can do, plus cross-org access to all organizations managed by their parent org. |
superuser | 4 | Platform administrator. Full access to every organization and all system settings. Can create/delete orgs and manage global configuration. |
Permission Matrix
| Action | user | org_admin | msp_admin | superuser |
|---|---|---|---|---|
| Send/receive chat messages | Yes | Yes | Yes | Yes |
| View own profile | Yes | Yes | Yes | Yes |
| Change own password | Yes | Yes | Yes | Yes |
| Access admin portal | No | Yes | Yes | Yes |
| Manage users in own org | No | Yes | Yes | Yes |
| Manage agents | No | Yes | Yes | Yes |
| Manage MCP servers | No | Yes | Yes | Yes |
| Configure integrations | No | Yes | Yes | Yes |
| View pipeline traces | No | Yes | Yes | Yes |
| Manage webhooks | No | Yes | Yes | Yes |
| Access managed orgs | No | No | Yes | Yes |
| Create/delete organizations | No | No | No | Yes |
| Configure global settings | No | No | No | Yes |
| Manage LLM providers | No | No | No | Yes |
Role Escalation Guards
GNETiX enforces strict role escalation rules:
- A user can only assign roles at or below their own level
- An
org_admincan createuserandorg_adminaccounts - An
msp_admincan additionally createmsp_adminaccounts (within managed orgs) - Only a
superusercan grant thesuperuserrole
Role escalation is enforced at the API level, not just the UI. Attempts to assign a role above your own will return a 403 error.
Default Role
New users are created with the user role by default. The creating admin can select a different role during user creation, subject to the escalation rules above.