Roles & Permissions (RBAC)
Genesys Cloud uses a Role-Based Access Control (RBAC) model. Permissions are the individual "keys" that unlock specific actions. Roles are the "keyrings" — pre-packaged bundles of permissions assigned to users. Roles also control licensing: the license assigned to a user corresponds to the most expensive permission in any role they hold.
Navigation Path
| Task | Path |
|---|---|
| Manage roles and permissions | Admin → People & Permissions → Roles/Permissions |
| Assign roles to a user | Admin → People & Permissions → People → select user → More → Edit Person → Roles tab |
| View permissions assigned to a user | Admin → People & Permissions → People → select user → More → Edit Person → View Permissions tab |
1. How RBAC Works in Genesys Cloud
Organization
└── User
├── Role A (e.g., Employee) → permissions bundle
├── Role B (e.g., User/Agent) → permissions bundle
└── Role C (e.g., Supervisor) → permissions bundle
└── Each role scoped to a Division (optional)
| Concept | Description |
|---|---|
| Permission | A single granular toggle — e.g., Routing > Queue > Edit. Genesys Cloud has over 2,000 individual permissions. |
| Role | A named bundle of permissions. Assigned to users. |
| Division | An optional scope applied to a role assignment. Limits the role's power to objects in that division only. See the Divisions & Access Control page. |
| License | Automatically determined by the most expensive permission in any role assigned to the user. You don't choose a license directly — it follows the role. |
📌 Permission changes can take up to 5 minutes to take effect after being saved.
2. The Golden Rule of Default Roles
⚠️ Never modify the permissions of a default role directly.
Instead:
- Find the default role closest to what you need
- Click More → Copy Role
- Rename the copy
- Add or remove permissions from the copy
Why: Default roles receive automatic permission updates from Genesys as new features are released. If you modify a default role, you may lose those updates — or receive them unexpectedly. Keeping your custom logic in copied roles protects you from both problems.
To restore a default role to its original state:
Admin → Roles/Permissions → find role → Edit Role → Restore Default Role
⚠️ Restoring a default role removes any permissions you added and restores any you deleted. There is no partial restore.
3. Default Roles Reference
Foundation Roles (All Orgs)
| Role | Auto-Assigned? | Can Be Removed? | Purpose |
|---|---|---|---|
| Employee | ✅ Yes — all users | ❌ No | Baseline role. Allows basic system access: read org data, edit own profile, use Collaborate (chat). Does NOT allow receiving ACD queue calls. |
| Admin | ✅ Yes — org creator only | ✅ Yes (from others) | Full org control. Manages global settings, invites users, assigns roles. Automatically assigned to whoever creates the organization. |
| Master Admin | ❌ No | ✅ Yes | All permissions needed to administer the entire organization including contact center. Commonly assigned to partner/vendor support users who need full access. Has all Admin permissions plus contact center administrative rights. |
| People Admin | ❌ No | ✅ Yes | HR-style user management. Create, edit, and delete users; manage role and permission assignments. Only exists in organizations created after June 1, 2022. |
Contact Center Roles
| Role | Purpose | Key Requirement |
|---|---|---|
| User | The agent role. Required for anyone who needs to be a member of an ACD queue and receive routed interactions. Without this role, a user cannot be added to a queue. | Must be assigned alongside Employee |
| Supervisor | Floor manager. Monitor live calls, manage agent queues, view real-time dashboards, handle wrap-up codes, view Queue and Agent dashboards and reports. | Requires CX license |
| Outbound Admin | Manages outbound dialing campaigns, contact lists, DNC (Do Not Call) lists, and call analysis rules. | Requires Outbound license |
| Outbound Agent | Frontline role for outbound campaign agents. Gives the agent the specific interface to receive outbound dialing interactions. | Requires Outbound license |
| Quality Administrator | Manages encryption keys, recording policies, evaluation forms, and calibrations. Can be scoped by queue using permission conditions. | Requires CX 3 |
| Quality Evaluator | Listens to recordings, fills out evaluation forms, annotates recordings, provides coaching feedback. | Requires CX 3 |
| Script Designer | Builds the agent scripting pop-up screens that display customer data and talking points during interactions. | — |
| Planner Admin | Workforce Management role. Handles forecasting, agent scheduling, and adherence monitoring. | Requires WFM license |
| Wallboard User | Minimal permissions. Designed for a dedicated display computer showing real-time queue statistics on a wall screen. | — |
Telephony & Technical Roles
| Role | Purpose |
|---|---|
| Telephony Admin | Manages telephony infrastructure: Sites, Edge devices, phone stations, extension pools, and call routing. Focuses on the "pipes." |
| Genesys Cloud Voice Admin | For customers using Genesys as their carrier. Allows purchasing phone numbers, managing number inventory, and viewing voice billing. |
| Integration Server | Technical role used by Bridge Connectors (local software) to communicate securely with the Genesys Cloud API. |
| SCIM Integration | Provides the API permissions needed for System for Cross-domain Identity Management — used to auto-sync users from Azure AD, Okta, or similar IdPs. |
| Developer | For technical staff building custom integrations and external applications against the Genesys Cloud API. |
Communication Roles
| Role | Purpose |
|---|---|
| Communicate User | Allows a user to have a phone extension and make/receive standard business calls. Non-ACD only — not for queue agents. |
| Communicate Admin | Manages the non-contact-center telephony side: user-to-user calling, company-wide alerting. |
| Trusted External User | Minimum-permission guest role for users from a different Genesys Cloud organization granted temporary access for support or collaboration. Only available in orgs created on or after May 17, 2017. |
📌 Legacy role names: If your organization was created before 2020, you may see old role names. The current names are:
User(formerly PureCloud User / Engage User) andSupervisor(formerly PureCloud Supervisor / Engage Supervisor).
4. Roles and Licensing
⚠️ The license assigned to a user is determined by the most expensive permission in any role they hold. You do not manually assign licenses — they follow the roles.
| Example | Result |
|---|---|
| User has only Employee role | Collaborate license (lowest cost) |
| User has Employee + Communicate User | Communicate license |
| User has Employee + User (Agent) | CX 1 or higher (depends on queue config) |
| User has Quality Evaluator | CX 3 license triggered |
| Master Admin assigned to a digital-only org | May trigger full CX 2/CX 3 voice license — requires manual permission removal |
📌 If you run a digital-only organization (no voice), be careful with the Master Admin role. Its default permissions include voice-related rights that will trigger a full CX 2 or CX 3 license. Remove the voice permissions from Master Admin or use a custom role instead.
5. Custom Roles
When no default role fits your need exactly, create a custom role:
| Step | Action |
|---|---|
| 1 | Click Add Role (build from scratch) or find a similar default role and click More → Copy Role |
| 2 | Enter a name and optional description |
| 3 | Click the Permissions tab and select the checkboxes for each permission needed |
| 4 | Click Save |
Best practices:
| Practice | Reason |
|---|---|
| Copy an existing role rather than building from scratch | Faster, less risk of missing required permissions |
| Keep the number of roles minimal | Simpler to audit and maintain |
| Modify existing roles rather than creating new ones when possible | Reduces role sprawl |
| Only create a new role when a subset of users genuinely needs different permissions | Avoids unnecessary complexity |
6. Assigning Roles to a User
| Step | Action |
|---|---|
| 1 | Under View, select All to see all available roles |
| 2 | Search for the role name |
| 3 | Click the toggle in the Assigned column to enable it |
| 4 | Optionally, click the Divisions box to scope the role to specific divisions |
| 5 | Click Save |
📌 You can also assign roles in bulk from the role side:
Admin → Roles/Permissions → find role → More → Change Membership.
7. Minimum Role Set for a Standard Agent
Every agent in an ACD contact center needs at minimum:
| Role | Why |
|---|---|
| Employee | Auto-assigned. Cannot be removed. Baseline access. |
| User | Required to be a member of an ACD queue and receive routed interactions. |
Without the User role, you cannot add the person to a queue.
Last verified against Genesys Cloud Resource Center – March 2026
No Comments