Configure granular access control with Keva's RBAC system
Keva implements role-based access control (RBAC) with 38 granular permissions across 12 groups. Define exactly what each team member can access and modify.
Overview
The RBAC system consists of:
Roles - Named sets of permissions
Permissions - Granular access rights
Assignments - Users assigned to roles
Default Roles
Keva provides four system roles that cannot be deleted:
Role
Color
Description
Owner
Purple
Full access to all features including billing
Admin
Blue
Full access except billing management
Agent
Green
Handle tickets, approvals, and knowledge base
Viewer
Gray
Read-only access to tickets and analytics
Permission Groups
Tickets
Permission
Description
tickets.view
View ticket list and details
tickets.create
Create new tickets
tickets.edit
Edit ticket properties
tickets.delete
Delete tickets
tickets.assign
Assign tickets to agents
tickets.export
Export ticket data
Approvals
Permission
Description
approvals.view
View pending approvals
approvals.approve
Approve AI actions
approvals.reject
Reject AI actions
Knowledge Base
Permission
Description
kb.view
View knowledge base entries
kb.create
Create new entries
kb.edit
Edit existing entries
kb.delete
Delete entries
Settings
Permission
Description
settings.view
View workspace settings
settings.edit
Modify workspace settings
Team
Permission
Description
team.view
View team members
team.invite
Invite new members
team.remove
Remove members
team.edit_roles
Modify role assignments
Analytics
Permission
Description
analytics.view
View analytics dashboard
analytics.export
Export analytics data
Billing
Permission
Description
billing.view
View billing information
billing.manage
Manage subscription and payment
API Keys
Permission
Description
api_keys.view
View API keys
api_keys.create
Create new API keys
api_keys.delete
Delete API keys
Connectors
Permission
Description
connectors.view
View platform connectors
connectors.create
Add new connectors
connectors.edit
Edit connector settings
connectors.delete
Remove connectors
Automation
Permission
Description
automation.view
View automation rules
automation.create
Create automation rules
automation.edit
Edit automation rules
automation.delete
Delete automation rules
Audit
Permission
Description
audit.view
View audit logs
audit.export
Export audit data
Custom Fields
Permission
Description
custom_fields.view
View custom field definitions
custom_fields.edit
Create and modify custom fields
Creating Custom Roles
Navigate to Settings > Roles
Click Create Role
Enter a name and description
Select a color for visual identification
Check the permissions to grant
Click Save
Editing Roles
Find the role in the list
Click Edit
Modify permissions as needed
Click Save
System roles (Owner, Admin, Agent, Viewer) cannot be edited.
Assigning Roles
Assign During Invite
When inviting a new member, select their role in the invitation form.
Change Existing Assignment
Go to Settings > Team
Find the team member
Click the role dropdown
Select the new role
Role Hierarchy
Roles do not inherit from each other. Each role has an explicit set of permissions:
Owner: All 40+ permissionsAdmin: All except billing.manageAgent: Tickets, approvals, KB, analyticsViewer: View-only permissions
Best Practices
Start with Least Privilege
Begin with Viewer role and add permissions as needed rather than starting with Admin and removing.
Create Function-Specific Roles
Consider custom roles for specific functions:
Support Lead: Agent + team.view + analytics.export
KB Manager: kb.* + settings.view
Billing Admin: billing.* + analytics.view
Regular Permission Audits
Review role assignments quarterly:
List all custom roles
Verify permissions are still appropriate
Check user assignments
Remove unused roles
Document Custom Roles
Keep documentation of custom roles and their intended purpose for SOC 2 compliance.