Setting Up and Applying Roles
Step-by-step guide to enabling RBAC, creating custom roles, assigning permissions, and applying roles to users.
What Are Roles?
A role is a named set of permissions. Assigning a role to a user grants them exactly the access defined by that role - no more. Users can hold multiple roles; their effective access is the combination of all assigned roles.
Unidy provides ready-made predefined roles for common use cases. You can also create fully custom roles tailored to your organisation's needs.
Predefined Roles
These roles are created automatically for each brand and cannot be edited or deleted:
Role | What it can do |
Tenant Admin | Full access to all brands and all tenant settings |
Brand Admin | Full access to data and customization within one brand |
Newsletter Subscriptions Admin | Manage newsletter subscriptions |
User Admin | Manage user profiles and accounts within a brand |
Viewer | View-only access to data within a brand |
Enabling Role-Based Access Control
RBAC can be enabled at two levels:
Tenant-wide — applies to all brands across the entire tenant:
- Go to Settings → Security
- Enable RBAC Enforcement
- Save
Per brand — applies only to a specific brand:
- Switch into the brand you want to configure
- Go to Settings → Security
- Enable RBAC Enforcement for that brand
- Save
A brand with RBAC enabled enforces permissions for its users even if the tenant-wide switch is off.
Once enabled at either level, users without an assigned role will have no dashboard access for the affected brand(s). Make sure every active admin user has a role assigned before enabling enforcement.
Developer toggle — for testing without committing to a permanent change, RBAC can be toggled per browser session via the user menu: click your name in the top-right corner and select Enable RBAC / Disable RBAC. This only affects your own session and does not change the tenant or brand settings.
Creating a Custom Role
Brand-scoped role (applies within your current brand):
- Navigate to Customization → Roles
- Click + New Role
- Enter a name for the role
- Assign permissions using the hierarchical tree. Permissions are grouped into top-level categories (Data, Customization, Settings), each containing sub-groups and individual resources. For each level choose:
- None — no access
- Read — view records only
- Write — create and update
- Delete — remove records
- Manage — full access (read + write + delete)
- Custom — expand the group to configure each sub-group or resource individually
- Click Save
For example, setting Data to Manage grants full access to all data resources. Setting Data → Newsletters to Custom lets you grant read access to newsletter subscriptions only, while keeping other newsletter resources at none.
Tenant-wide (global) role (applies across all brands):
- Navigate to Auth → Roles
- Follow the same steps as above
Global roles are useful for team members who manage multiple brands.
Assigning a Role to a User
- Navigate to Data → Users
- Open the user you want to update
- Scroll to the Roles section
- Select the roles to assign
- Save the changes
The user's new permissions take effect immediately. Users can hold multiple roles — their access is the union of all their roles.
Tips
- Use Viewer for users who only need to monitor data without making changes.
- Use Brand Admin for brand managers who need full control over one specific brand.
- Use Tenant Admin only for trusted technical staff who need to manage all brands and tenant-level settings.
- Custom roles are ideal for teams with specialised responsibilities, such as a support team that only needs access to tickets and user profiles.