Roles & Permissions
Role hierarchy (tenant_admin to account_user), what each role can do, and scope-based access
RPA Watch uses a role-based access control system with five roles organized in a hierarchy. Each role has a defined scope (what data it can see) and permissions (what actions it can perform).
Role Hierarchy
| Role | Level | Scope |
|---|---|---|
| Tenant Admin | 80 | All accounts in the tenant |
| Consultant | 60 | Assigned processes across any account in the tenant |
| Account Admin | 40 | Single account |
| Account User | 20 | Single account, assigned processes only |
Tenant Admin
The highest organizational role. Tenant admins have full control over their tenant.
Can do:
- View all accounts, processes, jobs, robots, and schedules across the entire tenant
- Create and manage accounts
- Invite and manage all members (any role)
- Configure tenant settings (authentication, email, CAPTCHA)
- Manage licenses
- View tenant-wide audit logs
- Assign consultants to processes
- Access any account's settings and API keys
Consultant
A cross-account role designed for consulting firms. Consultants can access multiple accounts but only see the processes they've been assigned to.
Can do:
- View assigned processes and their jobs across any account
- Access the dashboard for assigned processes
- View robots and schedules related to their assigned processes
Cannot do:
- Create or manage accounts
- Invite or manage members
- Change settings or manage API keys
- See processes they haven't been assigned to
Scope: Consultants are tenant-level users (no specific account). They see only the processes explicitly assigned to them by a tenant admin.
Account Admin
Full control within a single account. This is the typical role for a department lead or team manager.
Can do:
- View all processes, jobs, robots, and schedules in their account
- Update process metadata (criticality, category, owner, etc.)
- Invite and manage members within their account
- Create and manage API keys
- Configure account settings and RPA tool credentials
- Assign processes to account users
- View account-level audit logs
- Sync with the RPA provider
Cannot do:
- Access other accounts in the tenant
- Invite tenant-level roles (consultant, tenant_admin)
- Manage tenant settings or licenses
Scope: Limited to a single account.
Account User
The most restricted role. Account users see only the processes assigned to them.
Can do:
- View assigned processes and their jobs
- View the dashboard (filtered to assigned processes)
- Download file attachments from jobs
Cannot do:
- See processes they haven't been assigned to
- Invite members or manage settings
- Create or manage API keys
- Update process metadata
Scope: Limited to assigned processes within a single account.
Permission Summary
| Action | Tenant Admin | Consultant | Account Admin | Account User |
|---|---|---|---|---|
| View all processes in account | Yes | Assigned only | Yes | Assigned only |
| View jobs | Yes | Assigned processes | Yes | Assigned processes |
| Update process metadata | Yes | No | Yes | No |
| Create API keys | Yes | No | Yes | No |
| Invite members | Yes (any role) | No | Yes (account roles) | No |
| Manage account settings | Yes | No | Yes | No |
| Create accounts | Yes | No | No | No |
| Manage tenant settings | Yes | No | No | No |
| Manage licenses | Yes | No | No | No |
| View audit logs | Yes (tenant-wide) | No | Yes (account) | No |
| Sync RPA provider | Yes | No | Yes | No |
| Assign consultants | Yes | No | No | No |
Multiple Memberships
A single user can have multiple memberships across different tenants and accounts. For example:
- Alice is a tenant_admin at Company A
- Alice is also a consultant at Company B
- Alice is also an account_user in the "Finance" account at Company C
Each membership has its own role and scope. Alice switches between them using [context switching](/docs/switching-accounts).
How Roles Affect the UI
The RPA Watch interface adapts based on your role:
- Sidebar items change — tenant admins see "Accounts", "Tenant Settings", "License"; account users see only "Dashboard", "Processes", "Jobs"
- Actions are hidden or disabled for unauthorized roles
- Data is filtered to your scope automatically