User Roles Reference¶
User roles define the base level of access and capabilities within TopTickets. This reference details each role's permissions and API key capabilities.
Available Roles¶
| Role | Description |
|---|---|
admin |
Full access to all features and settings |
read_only_admin |
View all data, limited management capabilities |
agent |
Standard support agent, can manage tickets |
read_only_agent |
View tickets and customers, cannot modify |
Role Details¶
Admin¶
Description: Full administrative access to the organization.
Capabilities:
- View, create, update, and delete all resources
- Manage users and teams
- Create API keys with any scopes
- View and revoke any API key in the organization
- Access all dashboard and reporting features
API Key Permissions:
| Permission | Value |
|---|---|
| Can create API keys | Yes |
| Available scopes | All scopes |
| Maximum expiration | No limit |
| Can view all org keys | Yes |
| Can edit any key | Yes |
| Can revoke any key | Yes |
Read-Only Admin¶
Description: Administrative visibility without write access.
Capabilities:
- View all resources (tickets, customers, users, teams)
- View dashboard and reports
- Create API keys (with restrictions)
- Cannot create, update, or delete resources
API Key Permissions:
| Permission | Value |
|---|---|
| Can create API keys | Yes |
| Available scopes | Read-only scopes only (*:read) |
| Maximum expiration | 72 hours (enforced) |
| Can view all org keys | Yes |
| Can edit any key | No |
| Can revoke any key | No (including own keys) |
Forced Expiration
API keys created by Read-Only Admins automatically expire after 72 hours. This cannot be overridden.
Agent¶
Description: Standard support agent with full ticket management capabilities.
Capabilities:
- View, create, and update tickets
- Add comments and attachments to tickets
- View and manage customers
- View teams (cannot modify)
- Cannot manage users or organization settings
API Key Permissions:
| Permission | Value |
|---|---|
| Can create API keys | No |
| Available scopes | N/A |
No API Key Creation
Agents cannot create API keys. API keys must be created by Admin or Read-Only Admin users.
Read-Only Agent¶
Description: View-only access for monitoring or reference purposes.
Capabilities:
- View tickets and comments
- View customers
- View teams and users
- Cannot create, update, or delete any resources
API Key Permissions:
| Permission | Value |
|---|---|
| Can create API keys | No |
| Available scopes | N/A |
Permissions Matrix¶
Resource Permissions by Role¶
| Resource | Admin | Read-Only Admin | Agent | Read-Only Agent |
|---|---|---|---|---|
| Tickets | CRUD | R | CRU | R |
| Comments | CRUD | R | CRU | R |
| Attachments | CRUD | R | CRU | R |
| Customers | CRUD | R | CRU | R |
| Teams | CRUD | R | R | R |
| Users | CRUD | R | R | R |
| Dashboard | R | R | R | R |
Legend: C = Create, R = Read, U = Update, D = Delete
API Key Management by Role¶
| Action | Admin | Read-Only Admin | Agent | Read-Only Agent |
|---|---|---|---|---|
| Create keys | Yes (all scopes) | Yes (read-only) | No | No |
| View own keys | Yes | Yes | N/A | N/A |
| View all org keys | Yes | Yes | N/A | N/A |
| Edit keys | Yes | No | N/A | N/A |
| Revoke own keys | Yes | No | N/A | N/A |
| Revoke any key | Yes | No | N/A | N/A |
API Key Prefix by Role¶
When API keys are created, they receive a prefix based on the creating user's role:
| Creator Role | Key Prefix |
|---|---|
| Admin | tt_admin_ |
| Read-Only Admin | tt_ro_ |
Role-Based API Behavior¶
Creating Resources¶
When creating resources via API:
- Admins: Full access with any API key scopes
- Read-Only Admins: Cannot create via API (read-only scopes only)
- Agents: N/A (cannot create API keys)
- Read-Only Agents: N/A (cannot create API keys)
Viewing Resources¶
All roles can view resources within their organization:
# Any valid API key with appropriate read scope
response = requests.get(
f"{BASE_URL}/tickets",
headers={"Authorization": f"Bearer {api_key}"}
)
Scope Restrictions¶
Read-Only Admin keys are restricted to read-only scopes:
# This will fail for Read-Only Admin
response = requests.post(
f"{BASE_URL}/api-keys",
headers=HEADERS,
json={
"name": "My Key",
"scopes": ["tickets:write"] # Error: not allowed for read-only admin
}
)
Allowed scopes for Read-Only Admin:
[
"tickets:read",
"comments:read",
"attachments:read",
"customers:read",
"teams:read",
"users:read",
"dashboard:read"
]
Changing Roles¶
User roles can be changed by Admin users:
# Admin updating a user's role
response = requests.patch(
f"{BASE_URL}/users/{user_id}",
headers=HEADERS,
json={"role": "agent"}
)
Role Change Impact
When a user's role changes:
- Existing API keys remain active
- The user cannot create new keys if downgraded to Agent/Read-Only Agent
- Existing keys retain their original scopes
Use Cases¶
Admin Role¶
- Organization administrators
- System integrations requiring full access
- DevOps and infrastructure management
Read-Only Admin Role¶
- Managers needing visibility without risk
- Compliance and audit personnel
- Reporting and analytics users
- Temporary access for consultants
Agent Role¶
- Front-line support staff
- Customer success managers
- Technical support engineers
Read-Only Agent Role¶
- New employees in training
- Quality assurance reviewers
- Executive oversight
- External partners needing visibility
Best Practices¶
1. Start with Least Privilege¶
Assign the most restrictive role that allows users to do their job:
2. Use Read-Only Admin for Integrations¶
For read-only integrations (dashboards, reporting), use Read-Only Admin keys with enforced expiration for added security.
3. Audit Role Assignments¶
Regularly review user roles and downgrade when full access is no longer needed.
4. Document Role Requirements¶
Clearly document which roles are required for different functions to avoid over-provisioning.