Role-Based Access Control (RBAC) system in TenancyDesk ensures that every team member has the appropriate level of access - no more, no less.
Why RBAC Matters
Security: Prevent unauthorized access to sensitive financial data Compliance: Audit trail for all actions (who did what and when) Efficiency: Right data to the right people Accountability: Clear roles = clear responsibilities
The Four Roles in TenancyDesk
1. Admin (Administrator)
Who: Company owner, IT director, Finance director
Full access to:
- All deals in the company
- All team members and their management
- Billing and subscriptions
- All settings (company, integrations, workflows)
- API keys and Webhook management
- Company-level reports and analytics
Special permissions:
- Add/remove any team member (including other Admins)
- Change plan (Solo/Starter/Pro/Enterprise)
- Access full audit logs
- Export all company data (JSON, Excel, CSV, PDF)
- Permanently delete deals
- Configure SSO (Enterprise only)
Use cases:
- Initial company setup
- Managing billing and subscriptions
- Configuring integrations (API keys, WhatsApp, webhooks)
- Company-level team management
- Accessing all deal data for review/audit purposes
2. Manager
Who: Branch manager, Operations manager, Sales lead
Access to:
- All deals in the company (create, view, edit)
- All company reports and analytics
- View team member names and roles (read-only โ cannot invite or remove)
- Track payments and collections across all deals
- Monitor compliance across all deals
Limited permissions:
- Cannot manage billing or change plan
- Cannot invite or remove team members (Admin only)
- Cannot access API keys or Webhook settings
- Cannot change company settings
- Cannot export full company data (can only export their reports)
Use cases:
- Overseeing all deals in branch/company
- Reviewing agent performance via reports
- Viewing team composition (read-only team page)
- Monitoring compliance and payment status
- Managing workload distribution across agents
Example: Branch manager with 10 agents. They can:
- View all deals of all 10 agents
- Run revenue and performance reports
- View team page to see who has which role (but cannot modify)
- Track payment collections across all deals
3. Team Lead
Who: Senior agent, Team supervisor
Access to:
- Create and manage own deals
- View team members' deals and tasks
- Team dashboard statistics
- Team performance reports
- Assign and reassign tasks within team
- Full access to properties and contacts
Limited permissions:
- Cannot see deals outside their team
- Cannot manage billing or company settings
- Cannot invite or remove team members
- Cannot access company-wide reports (team only)
Use cases:
- Managing own deals while mentoring junior agents
- Daily supervision via team dashboard
- Running team reports for performance reviews
- Reassigning tasks when agents are busy
Example: Senior agent leading a team of 4 agents. They can:
- Create and manage their own deals
- View all 4 team members' deals and task progress
- Check team dashboard for key metrics
- Run team performance reports for monthly reviews
- Reassign a stuck task from one agent to another
4. Agent
Who: Real estate agent, Property consultant, Leasing manager
Access to:
- Only their own deals (created by them or assigned to them)
- Creating new deals
- Upload/delete documents for their deals
- Generate contracts and prepare Ejari
- Send communications (Email, SMS, WhatsApp) to clients
- Use Deal Portal for their clients
- View their own statistics (deal count, total AED value, closing rate)
Limited permissions:
- Cannot view other Agents' deals (unless shared by Admin/Manager)
- Cannot approve deals >AED 200,000 (needs Manager approval)
- Cannot override compliance blocks
- Cannot view team reports or company analytics
- Cannot modify workflow settings
- Cannot export bulk deal data (can only export their deals)
Use cases:
- Creating and managing their own rental deals
- Uploading tenant/owner documents
- Generating contracts and sending for signature
- Preparing Ejari submission packages
- Tracking rent payments for their clients
- Using Deal Portal to collect documents from tenants
Example: Agent managing 15 active deals. They can:
- View all 15 of their deals only (not other agents' deals)
- Create a new deal for a new tenant
- Upload tenant's Emirates ID and title deed
- Generate tenancy contract and share it for signing
- Prepare Ejari submission and send to Manager for approval (if >AED 200k)
5. Property Administrator
Who: Office administrator, Ejari/Tawtheeq specialist, Document processor, Payment reconciliation staff
Access to:
- View all company deals, payments, tasks, and compliance
- Upload, verify, and organize documents
- Prepare Ejari / Tawtheeq registration
- View all payment schedules and track collections
- Verify tenant and owner KYC documents
- Browse all company properties and contacts
Limited permissions:
- Cannot create deals or modify deal terms
- Cannot create or edit properties
- Can view all company deals but can only edit assigned deals
- Cannot view reports or analytics
- Cannot manage team or settings (except own profile)
Use cases:
- Document collection and verification across all company deals
- Preparing Ejari/Tawtheeq registration packages
- KYC verification of tenant and owner documents
- Payment schedule monitoring and reconciliation
- Browsing property listings and contact records
Example: Office administrator supporting 5 agents. They can:
- View all company deals for Ejari prep and payment reconciliation
- Upload Emirates IDs and verify KYC documents
- Prepare Ejari submission package for any deal
- Check payment schedule status across all deals
- Browse all company properties and contacts
- Edit only deals assigned to them
- Cannot create new deals, properties, or contacts
Permission Matrix (Page Access)
| Page | Admin | Manager | Team Lead | Agent | Property Administrator |
|---|---|---|---|---|---|
| Dashboard | Full | Full | Team | Own | All (read) |
| Deals | Full | Full | Team | Own | All (read), edit assigned |
| Properties | Full | Full | Full | Full | View only |
| Contacts | Full | Full | Full | Full | View only |
| Tasks | Full | Full | Team | Own | All (read) |
| Compliance | Full | Full | Full | Own | View only |
| Payments | Full | Full | Full | Own | View only |
| Reports | Full | Full | Team | ||
| Team | Full | View only | |||
| Settings | Full | Profile only | Profile only | Profile only | Profile only |
Key: Full = CRUD, Team = team-scoped, Own = own data, All (read) = view all company data but edit only assigned, View only = read-only
Best Practices for Role Management
Principle of Least Privilege:
- Start with the minimum possible role
- Upgrade only when necessary
- Review and audit permissions quarterly
Separation of Duties:
- Don't give the same person deal creation + financial approval
- Use Property Administrators for administrative work, not Agents
- Keep API access for Admins only
Security:
- Make Two-Factor Authentication (2FA) mandatory for all Admins and Managers
- Review access logs monthly
- Disable inactive accounts (>30 days without login)
- Remove departed users immediately
Audit Trail:
- All actions are logged with user ID, role, timestamp
- Review audit logs weekly for sensitive changes
- Export audit logs for compliance reviews
Clear roles = smooth operations. Set up your team with the right access for maximum efficiency and security.
Was this article helpful?
Related Articles
Stay Updated
Get the latest guides, tips, and updates delivered to your inbox.