Team roles and permissions
Wassla uses five fixed roles to keep workspace permissions simple and auditable: owner, admin, finance, support, and auditor. Owners can do everything including billing; admins can do everything except billing; finance handles invoices and refunds; support works the inbox; and auditor has read-only access plus the audit log. You cannot create custom roles — this constraint is deliberate so that every permission decision is easy to reason about and review.
Why only five roles?
Most customer-support platforms ship with a permission editor that lets workspace owners invent arbitrary roles. That flexibility sounds appealing but in practice it creates audit gaps: nobody remembers which custom role can refund a charge, and reviewers cannot reconstruct who could have approved an action six months ago.
Wassla locks the role set to five well-defined personas. Every staff action is recorded against one of these roles in the audit log, so a compliance reviewer can answer "who could have done this?" in seconds. The trade-off is that you adapt your team to Wassla's role model rather than the other way around — and most teams find five roles cover every real need.
The permissions table
The table below maps each role to the major capability surfaces. "Read" means the role can view but not change; "Write" means the role can both view and change; an em dash means the role has no access.
| Capability | Owner | Admin | Finance | Support | Auditor |
|---|---|---|---|---|---|
| Billing plans, invoices, payment methods | Write | — | Write | — | Read |
| Refunds and credit adjustments | Write | — | Write | — | Read |
| Invite, remove, and re-role teammates | Write | Write | — | — | Read |
| Promote another teammate to owner | Write | — | — | — | — |
| Channel setup (WhatsApp, Instagram, Facebook, Twilio, web widget) | Write | Write | — | — | Read |
| AI agent training, personality, knowledge base | Write | Write | — | — | Read |
| Routing rules and automations | Write | Write | — | — | Read |
| Inbox: read, reply, assign, tag, internal notes | Write | Write | — | Write | Read |
| Conversation handoffs to a human | Write | Write | — | Write | Read |
| Audit log | Read | Read | Read | — | Read |
| Delete the workspace | Write | — | — | — | — |
| Approve dual-control actions | Write (owner-only) | — | — | — | — |
Two cells deserve a quick note. Promoting another teammate to owner is owner-only by design — it is the one privilege escalation Wassla refuses to delegate. Approving dual-control actions is also owner-only and requires that the approver be a different person than the requester; the database enforces this with a CHECK constraint, so it cannot be bypassed in the UI.
Owner
Owners are the highest-privilege role in a workspace. An owner can change the billing plan, add or remove payment methods, issue refunds, invite or remove teammates, configure every channel, train every AI agent, read every conversation, view the audit log, and delete the workspace.
There must always be at least one owner in a workspace. If you try to demote the last owner, Wassla rejects the change and asks you to promote a replacement first. Owners also receive dual-control approval requests for high-impact actions (above $500 / 50,000 credits per call, or $5,000 / 500,000 credits per day); these requests appear in Settings → Approvals and expire after 24 hours.
Admin
Admins do everything except touch money. Admins can wire up channels, train agents, manage routing rules, invite teammates, and read every conversation — but they cannot view invoices, change the billing plan, or issue refunds.
This split exists because day-to-day operational changes (rotating a WhatsApp number, adding a new knowledge-base article, hiring a support agent) should not require pulling in whoever holds the company credit card. Most operations leads should be admins; reserve owner for the one or two people who genuinely need billing access.
Finance
Finance teammates own everything money-related and nothing else. A finance role can view invoices, change the billing plan, manage payment methods, issue refunds, and read the credit ledger. Finance cannot read conversation content, configure channels, or train agents.
This separation matters for two reasons. First, it lets you bring in a bookkeeper or accountant without exposing customer conversations to them — a real compliance concern under PDPL. Second, it keeps the billing surface auditable: every refund a finance teammate issues is recorded with their identity in the audit log, and refunds above the dual-control threshold require an owner to approve before they execute.
Support
Support is the inbox role. A support teammate can read, reply to, assign, and tag conversations across every channel; leave internal notes; and trigger a handoff from the AI agent to themselves or a colleague. Support cannot change channel configuration, retrain agents, view billing, or invite teammates.
When a support teammate logs in, Wassla takes them straight to Inbox rather than the workspace home — the assumption is that the inbox is their entire workday. Support roles do not see the audit log; if you need a teammate who can both work conversations and review audit history, give them admin instead.
Auditor
Auditors can read everything and change nothing. An auditor can open every conversation, every invoice, every channel configuration, every agent training record, and the full audit log — but every write action in the UI is hidden or disabled. The role is built for internal compliance reviewers, external auditors, and security reviews.
Auditors are also the only role besides owner who can read the full audit log without operational privileges. If you bring in an outside reviewer for an annual security audit, create them an auditor account, give them access for the duration of the engagement, and remove them when it ends — every page they viewed is itself recorded in the audit log.
Choosing the right role
When you invite a teammate, pick the smallest role that covers their job. A few common patterns:
- Founder or CEO — owner. They need billing and they hire the rest of the team.
- Head of customer support — admin. They configure channels and routing, but billing lives elsewhere.
- Frontline support agent — support. Inbox only, nothing else.
- Bookkeeper or finance lead — finance. Invoices and refunds, no conversation content.
- External security reviewer — auditor. Read everything for the duration of the review, then remove.
You can change a teammate's role at any time from Settings → Team — the change takes effect on their next page load, and the role change itself is recorded in the audit log.