# Roles & Permissions (RBAC) > Genesys Cloud uses a Role-Based Access Control (RBAC) model. Permissions are the individual "keys" that unlock specific actions. Roles are the "keyrings" — pre-packaged bundles of permissions assigned to users. Roles also control licensing: the license assigned to a user corresponds to the most expensive permission in any role they hold. --- ## Navigation Path | Task | Path | |---|---| | Manage roles and permissions | Admin → People & Permissions → Roles/Permissions | | Assign roles to a user | Admin → People & Permissions → People → select user → More → Edit Person → Roles tab | | View permissions assigned to a user | Admin → People & Permissions → People → select user → More → Edit Person → View Permissions tab | --- ## 1. How RBAC Works in Genesys Cloud ``` Organization └── User ├── Role A (e.g., Employee) → permissions bundle ├── Role B (e.g., User/Agent) → permissions bundle └── Role C (e.g., Supervisor) → permissions bundle └── Each role scoped to a Division (optional) ``` | Concept | Description | |---|---| | **Permission** | A single granular toggle — e.g., `Routing > Queue > Edit`. Genesys Cloud has over 2,000 individual permissions. | | **Role** | A named bundle of permissions. Assigned to users. | | **Division** | An optional scope applied to a role assignment. Limits the role's power to objects in that division only. See the **Divisions & Access Control** page. | | **License** | Automatically determined by the most expensive permission in any role assigned to the user. You don't choose a license directly — it follows the role. | > 📌 **Permission changes can take up to 5 minutes to take effect** after being saved. --- ## 2. The Golden Rule of Default Roles > ⚠️ **Never modify the permissions of a default role directly.** Instead: 1. Find the default role closest to what you need 2. Click **More → Copy Role** 3. Rename the copy 4. Add or remove permissions from the copy **Why:** Default roles receive automatic permission updates from Genesys as new features are released. If you modify a default role, you may lose those updates — or receive them unexpectedly. Keeping your custom logic in copied roles protects you from both problems. **To restore a default role to its original state:** `Admin → Roles/Permissions → find role → Edit Role → Restore Default Role` > ⚠️ Restoring a default role removes any permissions you added and restores any you deleted. There is no partial restore. --- ## 3. Default Roles Reference ### Foundation Roles (All Orgs) | Role | Auto-Assigned? | Can Be Removed? | Purpose | |---|---|---|---| | **Employee** | ✅ Yes — all users | ❌ No | Baseline role. Allows basic system access: read org data, edit own profile, use Collaborate (chat). Does NOT allow receiving ACD queue calls. | | **Admin** | ✅ Yes — org creator only | ✅ Yes (from others) | Full org control. Manages global settings, invites users, assigns roles. Automatically assigned to whoever creates the organization. | | **Master Admin** | ❌ No | ✅ Yes | All permissions needed to administer the entire organization including contact center. Commonly assigned to partner/vendor support users who need full access. Has all `Admin` permissions plus contact center administrative rights. | | **People Admin** | ❌ No | ✅ Yes | HR-style user management. Create, edit, and delete users; manage role and permission assignments. **Only exists in organizations created after June 1, 2022.** | ### Contact Center Roles | Role | Purpose | Key Requirement | |---|---|---| | **User** | The agent role. Required for anyone who needs to be a member of an ACD queue and receive routed interactions. Without this role, a user cannot be added to a queue. | Must be assigned alongside Employee | | **Supervisor** | Floor manager. Monitor live calls, manage agent queues, view real-time dashboards, handle wrap-up codes, view Queue and Agent dashboards and reports. | Requires CX license | | **Outbound Admin** | Manages outbound dialing campaigns, contact lists, DNC (Do Not Call) lists, and call analysis rules. | Requires Outbound license | | **Outbound Agent** | Frontline role for outbound campaign agents. Gives the agent the specific interface to receive outbound dialing interactions. | Requires Outbound license | | **Quality Administrator** | Manages encryption keys, recording policies, evaluation forms, and calibrations. Can be scoped by queue using permission conditions. | Requires CX 3 | | **Quality Evaluator** | Listens to recordings, fills out evaluation forms, annotates recordings, provides coaching feedback. | Requires CX 3 | | **Script Designer** | Builds the agent scripting pop-up screens that display customer data and talking points during interactions. | — | | **Planner Admin** | Workforce Management role. Handles forecasting, agent scheduling, and adherence monitoring. | Requires WFM license | | **Wallboard User** | Minimal permissions. Designed for a dedicated display computer showing real-time queue statistics on a wall screen. | — | ### Telephony & Technical Roles | Role | Purpose | |---|---| | **Telephony Admin** | Manages telephony infrastructure: Sites, Edge devices, phone stations, extension pools, and call routing. Focuses on the "pipes." | | **Genesys Cloud Voice Admin** | For customers using Genesys as their carrier. Allows purchasing phone numbers, managing number inventory, and viewing voice billing. | | **Integration Server** | Technical role used by Bridge Connectors (local software) to communicate securely with the Genesys Cloud API. | | **SCIM Integration** | Provides the API permissions needed for System for Cross-domain Identity Management — used to auto-sync users from Azure AD, Okta, or similar IdPs. | | **Developer** | For technical staff building custom integrations and external applications against the Genesys Cloud API. | ### Communication Roles | Role | Purpose | |---|---| | **Communicate User** | Allows a user to have a phone extension and make/receive standard business calls. Non-ACD only — not for queue agents. | | **Communicate Admin** | Manages the non-contact-center telephony side: user-to-user calling, company-wide alerting. | | **Trusted External User** | Minimum-permission guest role for users from a different Genesys Cloud organization granted temporary access for support or collaboration. Only available in orgs created on or after May 17, 2017. | > 📌 **Legacy role names:** If your organization was created before 2020, you may see old role names. The current names are: `User` (formerly PureCloud User / Engage User) and `Supervisor` (formerly PureCloud Supervisor / Engage Supervisor). --- ## 4. Roles and Licensing > ⚠️ The license assigned to a user is determined by the **most expensive permission** in any role they hold. You do not manually assign licenses — they follow the roles. | Example | Result | |---|---| | User has only Employee role | Collaborate license (lowest cost) | | User has Employee + Communicate User | Communicate license | | User has Employee + User (Agent) | CX 1 or higher (depends on queue config) | | User has Quality Evaluator | CX 3 license triggered | | Master Admin assigned to a digital-only org | May trigger full CX 2/CX 3 voice license — requires manual permission removal | > 📌 If you run a **digital-only organization** (no voice), be careful with the Master Admin role. Its default permissions include voice-related rights that will trigger a full CX 2 or CX 3 license. Remove the voice permissions from Master Admin or use a custom role instead. --- ## 5. Custom Roles When no default role fits your need exactly, create a custom role: **Navigation:** `Admin → Roles/Permissions → Add Role` | Step | Action | |---|---| | 1 | Click **Add Role** (build from scratch) or find a similar default role and click **More → Copy Role** | | 2 | Enter a name and optional description | | 3 | Click the **Permissions** tab and select the checkboxes for each permission needed | | 4 | Click **Save** | **Best practices:** | Practice | Reason | |---|---| | Copy an existing role rather than building from scratch | Faster, less risk of missing required permissions | | Keep the number of roles minimal | Simpler to audit and maintain | | Modify existing roles rather than creating new ones when possible | Reduces role sprawl | | Only create a new role when a subset of users genuinely needs different permissions | Avoids unnecessary complexity | --- ## 6. Assigning Roles to a User **Navigation:** `Admin → People & Permissions → People → select user → More → Edit Person → Roles tab` | Step | Action | |---|---| | 1 | Under **View**, select **All** to see all available roles | | 2 | Search for the role name | | 3 | Click the toggle in the **Assigned** column to enable it | | 4 | Optionally, click the **Divisions** box to scope the role to specific divisions | | 5 | Click **Save** | > 📌 You can also assign roles in bulk from the role side: `Admin → Roles/Permissions → find role → More → Change Membership`. --- ## 7. Minimum Role Set for a Standard Agent Every agent in an ACD contact center needs at minimum: | Role | Why | |---|---| | **Employee** | Auto-assigned. Cannot be removed. Baseline access. | | **User** | Required to be a member of an ACD queue and receive routed interactions. | Without the **User** role, you cannot add the person to a queue. --- *Last verified against [Genesys Cloud Resource Center](https://help.genesys.cloud) – March 2026*