Skip to main content
DialNexa uses role-based access control (RBAC) to manage what each team member can see and do within a workspace. Every member of a workspace is assigned exactly one role. Roles are assigned per workspace - the same user can be an Admin in one workspace and a Viewer in another.

Available Roles

Owner

Full access to everything in the workspace, including billing management, workspace deletion, and transferring ownership. Each workspace has exactly one Owner.

Admin

Can manage agents, phone numbers, team members, and workspace settings. Cannot access billing or delete the workspace.

Member

Can create and edit agents, make test calls, and view call history. Cannot delete agents, manage phone numbers, invite team members, or modify workspace settings.

Viewer

Read-only access. Can view agent configurations and call history but cannot make any changes. Suitable for stakeholders who need visibility without edit access.

Permission Matrix

ActionOwnerAdminMemberViewer
View agents
Create agents-
Edit agents-
Delete agents--
View call history
Download recordings-
Delete call records--
Make test calls-
Launch batch campaigns-
View phone numbers
Purchase phone numbers--
Configure phone numbers--
Release phone numbers--
View API keys--
Create API keys--
Revoke API keys--
Invite team members--
Change member roles--
Remove team members--
View workspace settings--
Edit workspace settings--
View billing---
Manage billing / recharge---
Delete workspace---
Transfer ownership---

Assigning Roles

When Inviting a New Member

When inviting someone to a workspace, you select their role as part of the invitation flow. See Workspace - Inviting Team Members for the full invitation process.

Changing an Existing Member’s Role

1

Go to Team Members

Navigate to Settings → Team → Members in the workspace.
2

Find the member

Locate the team member whose role you want to change.
3

Click their current role

The role is displayed next to their name. Click it to open a role selection dropdown.
4

Select the new role

Choose the new role from the dropdown. The change takes effect immediately.
The workspace Owner role can only be transferred, not assigned. To transfer ownership, go to Settings → Team → Transfer Ownership and select the new Owner. The current Owner becomes an Admin.

Enterprise-Specific Access Controls

Enterprise plans have additional access control capabilities beyond the standard RBAC roles:

Custom Roles (Enterprise)

Enterprise accounts can define custom roles with granular permission sets. For example, you might create a “Campaign Manager” role that can launch batch campaigns but cannot edit agent prompts. Custom roles are configured via the organization settings or via the API. Contact your account manager to enable and configure custom roles.

IP Allowlisting (Enterprise)

Restrict dashboard and API access to specific IP addresses or CIDR ranges. When enabled, any access attempt from an IP outside the allowlist is rejected, regardless of valid credentials. To configure:
  1. Go to Organization Settings → Security → IP Allowlist
  2. Add your allowed IP addresses or CIDR ranges
  3. Enable the allowlist
Before enabling IP allowlisting, make sure your own IP address is on the allowlist. Enabling an empty or incorrect allowlist will lock everyone out of the dashboard, including you.

SSO Integration (Enterprise)

Enterprise accounts can configure Single Sign-On (SSO) using SAML 2.0 or OIDC. With SSO enabled:
  • Team members log in via your identity provider (Okta, Azure AD, Google Workspace, etc.)
  • DialNexa passwords are disabled for SSO users
  • User provisioning and deprovisioning can be managed centrally through your IdP
  • SCIM provisioning is supported for automated user lifecycle management
Contact support to set up SSO. You’ll need to provide your IdP metadata or OIDC configuration.

Audit Logs (Enterprise)

Enterprise workspaces maintain a full audit log of actions taken by team members:
  • Agent creation, modification, and deletion
  • Phone number purchases and releases
  • API key creation and revocation
  • Team member role changes
  • Billing events
  • Login events (including failed logins)
Audit logs are available in Settings → Audit Log and can be exported as CSV or streamed to a SIEM via webhook. Logs are retained for 365 days.

Restricting Sensitive Features

Some features warrant additional access restriction beyond the standard role matrix: Prompt visibility: If your system prompts contain sensitive business logic, consider restricting agent edit access to Owners and Admins only. Members with access can see and modify prompts. Viewers cannot - making Viewer the appropriate role for stakeholders who only need to monitor call quality. Billing isolation: Only Owners can view billing details and manage wallet funds. If you have team members who should never see billing information (e.g., contractors), assign them Member or Viewer roles. API key access: API keys are visible only to Admins and Owners. If a team member should not have API access, assign them the Member role.