Roles & Permissions
Score CRM uses role-based access control (RBAC) to manage what each team member can do within the organization.
Available Roles
Owner
The organization creator. There is one owner per organization.
- Full access to all features
- Can manage all users (including admins)
- Can modify organization settings
- Can delete the organization
- Cannot be removed (ownership must be transferred)
Admin
Full platform access, similar to the owner.
- Can create, edit, and manage campaigns, journeys, segments, and lists
- Can manage SMTP connections
- Can invite and manage users (except the owner)
- Can modify organization settings
- Can view all reports and analytics
Member
Standard user with limited management capabilities.
- Can view campaigns, journeys, segments, and lists
- Can create new campaigns and journeys
- Can upload customers and manage lists
- Can view reports and analytics
- Cannot manage SMTP connections
- Cannot invite or manage other users
- Cannot modify organization settings
Permission Matrix
| Feature | Owner | Admin | Member |
|---|---|---|---|
| Dashboard | ✅ | ✅ | ✅ |
| View campaigns | ✅ | ✅ | ✅ |
| Create campaigns | ✅ | ✅ | ✅ |
| Launch/pause campaigns | ✅ | ✅ | ✅ |
| Delete campaigns | ✅ | ✅ | ❌ |
| View journeys | ✅ | ✅ | ✅ |
| Create journeys | ✅ | ✅ | ✅ |
| Publish journeys | ✅ | ✅ | ✅ |
| Delete journeys | ✅ | ✅ | ❌ |
| Manage segments | ✅ | ✅ | ✅ |
| Manage lists | ✅ | ✅ | ✅ |
| Upload customers | ✅ | ✅ | ✅ |
| Manage suppression | ✅ | ✅ | ✅ |
| View reports | ✅ | ✅ | ✅ |
| Manage SMTP | ✅ | ✅ | ❌ |
| Invite users | ✅ | ✅ | ❌ |
| Manage users | ✅ | ✅ | ❌ |
| Organization settings | ✅ | ✅ | ❌ |
Authentication
Score CRM uses JWT (JSON Web Token) authentication:
- Users log in with email and password
- A JWT token is issued and used for all subsequent API requests
- Tokens expire after a configured period
- Passwords are hashed using bcrypt before storage
Security Best Practices
- Use strong passwords: Enforce complex passwords for all team members
- Limit admin access: Only grant admin roles to users who need to manage settings and users
- Review user list regularly: Remove users who no longer need access
- Monitor login activity: Watch for unusual login patterns
- Use unique accounts: Every team member should have their own account — never share credentials