Skip to main content

Roles & Permissions

Access in the Backoffice is controlled at two levels: organization-scoped roles (assigned per user per organization) and a system-level role for Percus platform administrators.

Organization roles

Every user has exactly one role within each organization they belong to.

RoleLevel
OrganizationAdminFull control over the organization
ProjectManagerCreate and manage projects; publish templates
DeveloperUpload and manage templates; view projects
ViewerRead-only access

Permission matrix

ActionViewerDeveloperProjectManagerOrgAdmin
View projects
Create project
Edit project (name/description)
Archive project
View templates
Upload template
Archive template
Deploy template to PROD
Publish/unpublish channel
Manage public video shares
Create API credentials
Revoke API credentials
Invite users
Change user roles
Deactivate/reactivate users
Manage organization settings

System role: Owner

The Owner role is a platform-wide designation assigned by the Percus team. Owners:

  • Can access and manage all organizations.
  • Can assign and remove the Owner system role from other users.
  • Have full permissions across every organization (equivalent to OrganizationAdmin everywhere).

An Owner is identified by the system_role: "Owner" claim in their JWT.

Role assignment

Roles are assigned at invitation time and can be changed afterward by an OrganizationAdmin:

PUT /v1/users/{userId}/role
{ "role": "ProjectManager" }

A user's role change takes effect on their next request after the session is refreshed.

Enforcement

Authorization is enforced at the API layer:

  • Campaign Service endpoints that mutate state require the OrgAdminOrOwner policy (or role checked in the handler).
  • Role information is forwarded from the frontend session via the X-Percus-Forwarded-Org-Role and X-Percus-Forwarded-System-Role headers.
  • The Identity Service validates role assignments and enforces that only OrganizationAdmin users can invite or modify other users.