Access Control

Role matrix

Tenant roles

Action	Sales Rep	Manager	Admin
View own leads	✅	✅	✅
View all leads	❌	✅	✅
Create leads	✅	✅	✅
Edit leads	✅ (own)	✅	✅
Delete leads	❌	✅	✅
Move pipeline stage	✅	✅	✅
Create tasks	✅	✅	✅
Assign tasks to others	❌	✅	✅
View all team activity	❌	✅	✅
Manage automations	❌	✅	✅
Configure pipeline stages	❌	❌	✅
Invite team members	❌	❌	✅
Manage billing	❌	❌	✅
Configure integrations	❌	❌	✅
Configure SMTP	❌	❌	✅
Access analytics	❌	✅	✅

Platform roles (developer portal)

Action	Developer	Developer Staff	Developer Admin
View platform client list	✅	✅	✅
Manage tenant clients	❌	✅	✅
View affiliate directory	✅	✅	✅
Approve/reject affiliates	❌	✅	✅
Create affiliates directly	❌	✅	✅
View commission ledger	✅	✅	✅
Approve/pay commissions	❌	✅	✅
Manage platform settings	❌	❌	✅

---

Tenant isolation

Each tenant organization’s data is completely isolated:

• All PocketBase queries are filtered by the authenticated user’s client_id
• No API route returns cross-tenant data
• Developer portal users can view the client list but cannot access tenant CRM records

---

Admin controls

Inviting and removing team members

Admins can:

• Invite users by email from Settings → Team
• Set or change role assignments
• Remove users from the organization (revokes access immediately)

Password policy

• All users must set a password of at least 8 characters
• Password reset is available via email for any user

Session visibility

Currently, admins cannot view active sessions of other users. Users can manage their own sessions by logging out.

---

Principle of least privilege

Follow least-privilege when assigning roles:

• Give Sales Rep role to field sales team members
• Give Manager role to team leads who need reporting access and automation management
• Give Admin only to people responsible for billing, settings, and user management

Avoid giving everyone Admin access — restrict billing access to prevent accidental plan changes.