LiyaSupport
Security & Compliance

Role-based access control

Manage what each team member can see and do with built-in and custom roles.

6 min read Updated July 2026

Built-in roles

LiyaSupport ships with three built-in roles that cover most team structures. All plans include these roles.

RoleAssignable byTypical users
OwnerOnly transferable, cannot be grantedWorkspace creator; billing contact
AdminOwnerTeam leads, support managers
AgentOwner or AdminFrontline support staff

Permission matrix

PermissionOwnerAdminAgent
View and reply to assigned conversations
View all conversations
Reply to any conversation
Manage knowledge baseRead only
Create and edit automations
View team analyticsOwn only
Invite and remove team members
Manage integrations
Manage billing and plan
View audit log
Manage SSO / SAML settings
Configure AI settings
Manage API keys
Delete workspace
The Owner role can only be transferred — not granted to a new user. To transfer ownership, go to Settings → Team → [member] → Transfer ownership.

Custom roles (Enterprise)

Enterprise workspaces can create custom roles with granular permission controls. Custom roles are useful for specialised team structures such as:

  • QA Reviewer — can read all conversations but not reply; can view and edit QA scores
  • Knowledge Manager — full knowledge base access but no inbox access
  • Read-only Admin — can view analytics and settings but cannot make changes
  • Supervisor — can view all conversations, assign/reassign, but cannot change settings

Creating a custom role

  1. Go to Settings → Team → Roles → Create role.
  2. Name the role and give it a description.
  3. Select permissions from the granular permission list (organised by section).
  4. Save and assign the role to team members.

Conversation-level permissions

Beyond roles, you can restrict visibility of specific conversations using Private conversations. Private conversations are only visible to assigned agents and admins.

Set a conversation to private from the conversation header → Options → Make private.

Group-based routing and visibility

When a conversation is assigned to a group, only members of that group (and admins) can see it in the inbox by default. This provides natural scoping without requiring complex role configuration.

Example: a "VIP Accounts" group that only your senior agents belong to ensures enterprise customer tickets aren't visible to tier-1 agents.


SCIM provisioning (Enterprise)

Automate user lifecycle management with SCIM 2.0. When you add or remove a user from your identity provider's Liya group, Liya is updated automatically.

SCIM base URL

https://api.liyasupport.com/scim/v2

Required credentials

Generate a SCIM bearer token in Settings → Security → SCIM → Generate token. Enter this in your identity provider's SCIM configuration.

Supported SCIM operations

OperationResourceDescription
GET /UsersUsersList all workspace users
GET /Users/:idUsersGet a specific user
POST /UsersUsersCreate a new user (JIT provision)
PATCH /Users/:idUsersUpdate user attributes or active status
DELETE /Users/:idUsersDeactivate (not delete) a user
GET /GroupsGroupsList all workspace groups
POST /GroupsGroupsCreate a group
PATCH /Groups/:idGroupsAdd/remove members
SCIM de-provisioning sets the user's active flag to false rather than permanently deleting the account. Their conversation history and actions are retained. You can permanently delete a deactivated user from Settings → Team → Deactivated.