RBAC Model
Vaani uses a Role-Based Access Control system where permissions are scoped to workspaces:
Role Permissions Matrix
| Action | Member | Developer | Admin |
|---|
| View agents, calls, reports | ✅ | ✅ | ✅ |
| Create/edit agents | ❌ | ✅ | ✅ |
| Upload knowledge base files | ❌ | ✅ | ✅ |
| Create batch jobs / campaigns | ❌ | ✅ | ✅ |
| Purchase phone numbers | ❌ | ❌ | ✅ |
| Configure SIP trunks | ❌ | ✅ | ✅ |
| Generate API keys | ❌ | ✅ | ✅ |
| Invite/remove members | ❌ | ❌ | ✅ |
| Delete workspace | ❌ | ❌ | ✅ |
| Access admin panel | ❌ | ❌ | ❌ (Superuser only) |
How Authorization Works
Every API request goes through the require_workspace_access() dependency:
Each endpoint declares its minimum required role:
# Example: Only developers and admins can create agents
@router.post("/agents")
async def create_agent(
workspace_id = Depends(require_workspace_access(WorkspaceRole.developer)),
...
):
Workspace Scoping
All data queries filter by workspace_id, ensuring strict tenant isolation:
- An agent in Workspace A cannot be accessed from Workspace B
- Call logs, phone numbers, batch jobs, and campaigns are all workspace-scoped
- API keys inherit the workspace they were created in
Superuser
The Superuser flag is a platform-level capability (not a workspace role):
- Set directly on the
User model (is_superuser = True)
- Grants access to the admin panel (
/admin/* endpoints)
- Can view and manage all workspaces across the platform
- Used for platform operations, not day-to-day usage
Superuser access bypasses workspace role checks. Only assign this to platform administrators.
