Permissions & Roles
Overview
Keyban provides a role-based permission system that lets organization owners control what each team member can access and do within the Admin Panel. Every member is assigned a role that determines their level of access across the platform's features.
This system ensures that sensitive operations — like managing billing, deleting an organization, or inviting new members — are restricted to the right people, while day-to-day contributors can focus on their work without unnecessary barriers.
Roles at a Glance
Each organization member is assigned one of four roles:
| Role | Best for | Summary |
|---|---|---|
| Owner | Organization creator, CTO | Full control over the organization, including deletion |
| Admin | Team leads, project managers | Manages members, settings, and all modules — except org deletion |
| Editor | Developers, content managers | Creates and edits products and campaigns, reads settings |
| Viewer | Stakeholders, external reviewers | Read-only access to products and campaigns |
What Each Role Can Do
Products & Campaigns
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View DPP products | ✅ | ✅ | ✅ | ✅ |
| Create DPP products | ✅ | ✅ | ✅ | ❌ |
| Edit DPP products | ✅ | ✅ | ✅ | ❌ |
| Delete DPP products | ✅ | ✅ | ❌ | ❌ |
| View Loyalty campaigns | ✅ | ✅ | ✅ | ✅ |
| Create Loyalty campaigns | ✅ | ✅ | ✅ | ❌ |
| Edit Loyalty campaigns | ✅ | ✅ | ✅ | ❌ |
| Delete Loyalty campaigns | ✅ | ✅ | ❌ | ❌ |
Applications
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View applications | ✅ | ✅ | ✅ | ✅ |
| Create applications | ✅ | ✅ | ❌ | ❌ |
| Edit applications | ✅ | ✅ | ✅ | ❌ |
| Delete applications | ✅ | ✅ | ❌ | ❌ |
Team Management
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View members | ✅ | ✅ | ✅ | ❌ |
| Invite or remove members | ✅ | ✅ | ❌ | ❌ |
| Change member roles | ✅ | ✅ | ❌ | ❌ |
| Create or manage teams | ✅ | ✅ | ❌ | ❌ |
Organization & Billing
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View settings | ✅ | ✅ | ✅ | ❌ |
| Edit organization settings | ✅ | ✅ | ❌ | ❌ |
| Delete organization | ✅ | ❌ | ❌ | ❌ |
| View and manage billing | ✅ | ✅ | ❌ | ❌ |
How Permissions Are Enforced
Permissions are enforced at two levels to ensure consistency:
- In the Admin Panel: features and actions the user cannot access are automatically hidden from the interface. There are no grayed-out buttons or confusing error messages — each member sees a clean interface tailored to their role.
- In the API: every request is checked against the user's role. If a restricted endpoint is called directly (e.g., via API key), the platform returns a
403 Forbiddenresponse.
Getting Started
Prerequisites
To manage roles, you need:
- Access to the Admin Panel
- Owner or Admin role in the organization
Inviting a Member with a Role
- Go to Organization > Members in the Admin Panel
- Click Invite Member
- Enter the member's email address
- Select the role to assign (Admin, Editor, or Viewer)
- The invited user receives an email and joins the organization with the selected role
Changing a Member's Role
- Go to Organization > Members
- Find the member in the list
- Click the role dropdown next to their name
- Select the new role
- The change takes effect immediately — the member's interface updates on their next page load
Typical Role Assignments
Here are common setups depending on your team structure:
| Team member | Recommended role | Why |
|---|---|---|
| Company founder / CTO | Owner | Needs full control including billing and org deletion |
| Project manager | Admin | Manages the team and settings, but shouldn't delete the org |
| Developer / Designer | Editor | Creates and updates products and campaigns daily |
| Client / External auditor | Viewer | Needs to see data without modifying anything |
Understanding Role Differences
Owner vs Admin
The Owner and Admin roles are nearly identical, with one key difference: only the Owner can delete the organization. This safeguard prevents accidental or unauthorized deletion.
Both roles can:
- Invite and remove members
- Manage all applications, products, and campaigns
- Access billing and organization settings
Editor vs Viewer
The Editor can create and modify content (DPP products, Loyalty campaigns, applications), making it ideal for team members who contribute daily.
The Viewer has strictly read-only access — perfect for stakeholders who need visibility without the risk of accidental changes.
What Happens When a Role Changes
When you change a member's role:
- The change takes effect immediately
- The member's interface adapts automatically on their next navigation
- No data is lost — the member simply gains or loses access to certain actions
- Any in-progress form submissions that exceed the new role's permissions will be rejected by the API