Skip to main content

Role-Based Access Control

OPBX uses Role-Based Access Control (RBAC) to manage what users can see and do in the system. This document explains the available roles, their permissions, and best practices for role assignment.

Available Roles

OPBX provides four built-in roles, each with different levels of access:

Owner

Description: Full organization access with complete control over all settings and users.

Permissions:

  • ✅ Create, edit, and delete all users (including other owners)
  • ✅ Configure all system settings
  • ✅ Access all features and reports
  • ✅ Manage Cloudonix integration
  • ✅ Delete the organization

Typical Users:

  • Organization administrators
  • Business owners
  • IT directors

PBX Admin

Description: Administrative access to manage users and system configuration, but cannot manage owners.

Permissions:

  • ✅ Create, edit, and delete PBX Users and Reporters
  • ❌ Cannot manage Owners or other PBX Admins
  • ✅ Configure system settings (extensions, ring groups, IVR, etc.)
  • ✅ View all reports
  • ✅ Manage phone system features

Typical Users:

  • IT administrators
  • Phone system managers
  • Technical support staff

PBX User

Description: Standard user access for employees who need phone extensions.

Permissions:

  • ✅ Use assigned phone extension
  • ✅ View personal call history
  • ✅ Access voicemail
  • ✅ Update personal profile
  • ❌ Cannot access admin features
  • ❌ Cannot view other users' data

Typical Users:

  • Employees with phone extensions
  • Sales staff
  • Support agents

Reporter

Description: Read-only access to reports and analytics.

Permissions:

  • ✅ View all reports and analytics
  • ✅ Export report data
  • ❌ Cannot make or receive calls
  • ❌ Cannot access configuration
  • ❌ Cannot manage users

Typical Users:

  • Managers who need call statistics
  • Business analysts
  • Quality assurance teams

Permission Matrix

FeatureOwnerPBX AdminPBX UserReporter
User Management
Create usersAll rolesPBX User, Reporter
Edit usersAll rolesPBX User, ReporterOwn profile only
Delete usersAll rolesPBX User, Reporter
Configuration
System settings
Extensions
Ring groups
IVR menus
Cloudonix settings
Phone Features
Make/receive calls
Voicemail
Call transfer
Reports
View reportsAll dataAll dataOwn data onlyAll data
Export dataOwn data only

Role Hierarchy

Roles follow a hierarchy where higher roles can manage lower roles:

Owner (highest)
    └── Can manage: Owner, PBX Admin, PBX User, Reporter

PBX Admin
    └── Can manage: PBX User, Reporter
    └── Cannot manage: Owner, PBX Admin

PBX User
    └── Can manage: Self only

Reporter (lowest)
    └── Can manage: Self only

Changing User Roles

Who Can Change Roles?

  • Owner: Can change any user's role to any other role
  • PBX Admin: Can change PBX User and Reporter roles
  • PBX Admin: Cannot change Owner or PBX Admin roles

How to Change a Role

  1. Navigate to Users in the main menu
  2. Find the user you want to edit
  3. Click the Edit button (pencil icon)
  4. Select the new role from the Role dropdown
  5. Click Save Changes
Role Change Audit

Role changes are logged in the audit log with:

  • Who made the change
  • The previous role
  • The new role
  • Timestamp

Role Change Restrictions

The following role changes are blocked:

FromToAllowed?Reason
OwnerAny✅ Yes-
PBX AdminOwner❌ NoOnly owners can promote to owner
PBX UserPBX Admin✅ YesIf changed by Owner or PBX Admin
ReporterPBX Admin❌ NoOnly PBX User role

Best Practices

Principle of Least Privilege

Always assign the minimum role necessary for a user to perform their job:

  • Need to make calls? → PBX User
  • Need to view reports only? → Reporter
  • Need to manage the phone system? → PBX Admin
  • Need full control? → Owner

Role Assignment Guidelines

User TypeRecommended RoleNotes
CEO/CTOOwnerNeeds full access
IT ManagerOwner or PBX AdminDepends on delegation needs
IT StaffPBX AdminDay-to-day management
Sales TeamPBX UserNeed phone access
Support TeamPBX UserNeed phone access
QA ManagerReporterMonitor call quality
AnalystReporterReview metrics only

Security Recommendations

  1. Limit Owner accounts - Have at least 2 owners for redundancy, but no more than necessary
  2. Review roles regularly - Audit user roles quarterly
  3. Remove unnecessary access - Demote users when they change roles
  4. Monitor role changes - Watch the audit log for unexpected role changes
  5. Document role assignments - Maintain a record of who has what access and why

Role Limitations

Maximum Users Per Role

There are no hard limits on the number of users per role, but consider:

  • Owners: Keep to 2-3 people maximum
  • PBX Admins: Limit to your IT team size
  • PBX Users: Limited by your license/subscription
  • Reporters: Limited by your license/subscription

Role Conflicts

Role conflicts occur when:

  1. Last Owner Protection: Cannot demote the last owner
  2. Self-management: Users cannot change their own role
  3. Cross-organization: Users can only manage users in their own organization

Troubleshooting

Cannot Assign Role

Problem: The role you want to assign is not available.

Solutions:

  • Check your own role - you may not have permission
  • PBX Admins cannot create other PBX Admins or Owners
  • Contact an Owner to assign higher-level roles

User Cannot Access Feature

Problem: A user reports they cannot access a feature they need.

Solutions:

  1. Check the user's current role
  2. Review the permission matrix above
  3. Upgrade their role if appropriate
  4. Verify they are logging in with the correct account

Accidental Role Change

Problem: A user's role was changed incorrectly.

Solutions:

  • Change the role back immediately
  • Check the audit log to see who made the change
  • Document the incident for security review

Next Steps

Related Documentation: