Roles & Permissions
Rankup uses a hierarchical role system to control access. Permissions are enforced at the database level using Row Level Security (RLS), not just the UI.
Role hierarchy
Admin
└── Strategist
└── Viewer
└── Client Viewer (scoped to one client)Each role inherits the read permissions of the roles below it but adds additional capabilities.
Detailed permissions
| Action | Admin | Strategist | Viewer | Client Viewer |
|---|---|---|---|---|
| View dashboards | All clients | All clients | All clients | Own client only |
| Import locations | Yes | Yes | No | No |
| Generate briefs | Yes | Yes | No | No |
| Manage calendar | Yes | Yes | No | No |
| Add/edit clients | Yes | No | No | No |
| Manage team | Yes | No | No | No |
| Configure API keys | Yes | No | No | No |
| Organization settings | Yes | No | No | No |
| Export reports | Yes | Yes | Yes | Own client only |
Data isolation
The most important security boundary is between Client Viewers and everyone else:
- Agency users (Admin, Strategist, Viewer) can see all clients within their organization
- Client Viewers can only see data for the specific client they're assigned to
- This restriction is enforced by PostgreSQL Row Level Security policies - it cannot be bypassed through the API or any other means
- Organizations are completely isolated from each other at the database level
Assigning roles
Roles are assigned when inviting a user and can be changed at any time by an Admin. To invite a Client Viewer, you must specify which client they should be assigned to.