Role-based access control
Manage what each team member can see and do with built-in and custom roles.
Built-in roles
LiyaSupport ships with three built-in roles that cover most team structures. All plans include these roles.
| Role | Assignable by | Typical users |
|---|---|---|
| Owner | Only transferable, cannot be granted | Workspace creator; billing contact |
| Admin | Owner | Team leads, support managers |
| Agent | Owner or Admin | Frontline support staff |
Permission matrix
| Permission | Owner | Admin | Agent |
|---|---|---|---|
| View and reply to assigned conversations | ✓ | ✓ | ✓ |
| View all conversations | ✓ | ✓ | – |
| Reply to any conversation | ✓ | ✓ | – |
| Manage knowledge base | ✓ | ✓ | Read only |
| Create and edit automations | ✓ | ✓ | – |
| View team analytics | ✓ | ✓ | Own only |
| Invite and remove team members | ✓ | ✓ | – |
| Manage integrations | ✓ | ✓ | – |
| Manage billing and plan | ✓ | – | – |
| View audit log | ✓ | ✓ | – |
| Manage SSO / SAML settings | ✓ | – | – |
| Configure AI settings | ✓ | ✓ | – |
| Manage API keys | ✓ | ✓ | – |
| Delete workspace | ✓ | – | – |
Custom roles (Enterprise)
Enterprise workspaces can create custom roles with granular permission controls. Custom roles are useful for specialised team structures such as:
- QA Reviewer — can read all conversations but not reply; can view and edit QA scores
- Knowledge Manager — full knowledge base access but no inbox access
- Read-only Admin — can view analytics and settings but cannot make changes
- Supervisor — can view all conversations, assign/reassign, but cannot change settings
Creating a custom role
- Go to Settings → Team → Roles → Create role.
- Name the role and give it a description.
- Select permissions from the granular permission list (organised by section).
- Save and assign the role to team members.
Conversation-level permissions
Beyond roles, you can restrict visibility of specific conversations using Private conversations. Private conversations are only visible to assigned agents and admins.
Set a conversation to private from the conversation header → Options → Make private.
Group-based routing and visibility
When a conversation is assigned to a group, only members of that group (and admins) can see it in the inbox by default. This provides natural scoping without requiring complex role configuration.
Example: a "VIP Accounts" group that only your senior agents belong to ensures enterprise customer tickets aren't visible to tier-1 agents.
SCIM provisioning (Enterprise)
Automate user lifecycle management with SCIM 2.0. When you add or remove a user from your identity provider's Liya group, Liya is updated automatically.
SCIM base URL
https://api.liyasupport.com/scim/v2
Required credentials
Generate a SCIM bearer token in Settings → Security → SCIM → Generate token. Enter this in your identity provider's SCIM configuration.
Supported SCIM operations
| Operation | Resource | Description |
|---|---|---|
| GET /Users | Users | List all workspace users |
| GET /Users/:id | Users | Get a specific user |
| POST /Users | Users | Create a new user (JIT provision) |
| PATCH /Users/:id | Users | Update user attributes or active status |
| DELETE /Users/:id | Users | Deactivate (not delete) a user |
| GET /Groups | Groups | List all workspace groups |
| POST /Groups | Groups | Create a group |
| PATCH /Groups/:id | Groups | Add/remove members |
active flag to false rather than permanently deleting the account. Their conversation history and actions are retained. You can permanently delete a deactivated user from Settings → Team → Deactivated.