Manage user access

In their simplest form, permission sets define what users or teams can see and do within the platform. With permission sets, you can grant users access to data and actions within Kustomer on an object level. Kustomer supports two object types: standard and custom (KObjects). Standard objects come pre-installed and are considered to be common objects that exist across every organization, and are defined as Company, Customer, and Conversation. KObjects, on the other hand, are objects that are specific to your organization. Applying a permission set to a user or team can prevent them from editing or deleting anything in an object, such as a customer’s name, or from even seeing the customer at all. Since platform data and actions can only be accessed via a permission set, implementing them helps your organization protect its data and offer better security by allowing you to give users and teams specific system access to only what you want them to see, ensuring that they don’t mistakenly get access to sensitive data.Kustomer permission sets are fully customizable and provide a variety of settings you can choose from to give users the exact access you want them to have. Permission sets make it simple to manage access settings for a group of users at once, removing the need to define permission settings individually. Who can access this feature?User typesAdmins can access the Permission sets page.In this article:Multiple permission setsDefault permission setsMultiple permission setsPermission sets are additive, meaning users and teams can be assigned multiple permission sets within Kustomer, granting them access to different objects and areas of the platform. Due to this, it is important to understand that when a user or team is assigned multiple permission sets, Kustomer will grant all allowed access, even if the permission sets conflict. For example, let’s say you assign two permission sets to a user in your organization named Bob. If permission set 1 grants access to conversations, and permission set 2 prohibits access to them, Bob is still granted access to conversations.Let’s expand on this concept further. Bob is assigned Permission Set A and B and each permission set allows the following access to customers based on their tier.Basic customersStandard customersVIP customersPermission Set AView & CreateView & CreateView & CreatePermission Set BView & Create & UpdateView & Create & UpdateIn this scenario, Bob cannot update Basic customers. His access allows him to: View customers in all three tiers.Create customers in any tier.Update both Standard and VIP customers, such as their name or email address.Default permission setsWe recommend you get started by duplicating one of the permissions defined below, and then customizing it to best fit your needs. For more information, see this article.Duplicate permission setsYou can duplicate a permission set by selecting the icon next to it. The corresponding access settings for that permission set will be automatically enabled. You can then customize the level of access you want to grant your user.Related articles:User access within KustomerUse permission setsPermission sets best practices

We recommend you get started by duplicating one of the permissions defined below, and then customizing it to best fit your needs.The following default permission sets are included in Kustomer:Owner has full access to everything in Kustomer. This permission set can’t be deleted or changed by another permission.Administrator has access to everything in Kustomer.Content Administrator has access to update customers, send messages, view reports, create teams/users/searches, and manage the knowledge base.Manager has access to update customers, send messages, and has access to Reporting, Searches, and creating teams, users, and searches.User can update customers and send messages, but doesn’t have access to settings or configurations.Note: You can only duplicate the default Content Administrator, Manager, and User permission sets.The following table shows a breakdown of the exact access granted by each default permission set. Object/Product AreaAccess LevelContent AdministratorManagerUserCompanyRead/ViewXXXCreateXXXUpdateXXXDeleteCustomerRead/ViewXXXCreateXXXUpdateXXXDeleteXXMerge CustomersXXXConversationRead/ViewXXXCreateXXXUpdateXXXDeleteMerge/Split ConversationsXXXForward ConversationsXXXKObjectsRead/ViewXXXCreateXXXUpdate XXXDeleteXXXApps (Shopify Actions)*Run All Actions (Return & Cancel)XXXChannel ManagementRead/ViewXXXKnowledge BaseRead/ViewXXXCreateXUpdateXDeleteXBrandsRead/ViewXXXShortcutsRead/ViewXXXCreateXUpdateXDeleteXTemplatesRead/ViewXXXCreateXUpdateXDeleteXProactive MessagingRead/ViewXXXCreateXUpdateXDeleteXSnippetsRead/ViewXXXCreateXUpdateXDeleteXTagsRead/ViewXXXCreateXXXUpdateXXXDeleteXKlass ManagementRead/ViewXXXReportingRead/ViewXXCreateXXUpdateXXDeleteXXExport ReportsXXView User PerformanceXXSearchesRead/ViewXXXExport SearchesXXGlobal SearchXXXBulk ActionsXXXOrganization and LocalizationRead/ViewXXXConversation StatusRead/ViewXXXQueues & RoutingRead/ViewXXXUpdateXXXBusiness RulesRead/ViewXXXSLAsRead/ViewXXXBusiness SchedulesRead/ViewXXXBillingRead/ViewXXXAudit LogsRead/ViewXXXSatisfactionRead/ViewXXXUsersRead/ViewXXXCreateXXUpdateXXDeleteXXTeamsRead/ViewXXXCreateXXUpdateXXDeleteXX*Note: Currently, Shopify is the only app that appears in this section once installed.

Kustomer permission sets provide you with a way to customize what users and teams in your organization have access to and can see within the platform. Permission sets are fully customizable, allowing you to control what your users see based on your organization’s needs. For example, let’s say you are training agents and want to make sure that they can not mistakenly delete a customer, or respond to a customer support request while they familiarize themselves with the system. With permission sets, you can easily manage the access level for this group of users and either allow them to only have read/view access, or no access to certain actions at all.With permission sets, you can also:Have the Ordering Department only see the custom objects that are relevant to them, such as the customer’s latest order.Allow an agent to create an order for a customer in their timeline.Prevent an agent from editing a specific attribute, such as a customer's email address.Who can access this feature?User typesAdmins can access the Permissions sets page.Permission sets allow you to control the data, down to the object level, that your users see and determine what actions are available to them. For example, if you are a travel agency, you could define a KObject that stores booking information for each customer. With permission sets, you can prevent a user from performing actions on any of these objects, such as deleting a customer’s email address, or from even seeing the object at all. You can also apply permission sets to other areas of the platform, such as searches, reporting, and system settings. For more information, see Understand permission sets.Permissions sets consist of individual permissions, or rules, that determine the level of access a user will receive. A user must be assigned a permission set or they will not have access to anything on the platform at all. Kustomer comes with five default permission sets: Owner, Administrator, Content Administrator, Manager, and User. These permission sets cannot be modified or deleted, but you can duplicate them and use them as a basis for a custom permission set by limiting specific actions or settings in them. Note: While these permission sets are included, they are meant for you to use as more of a guideline, or backup, rather than your main permission sets. Default roles are broad and do not provide the ability for you to control what your users see or the actions they may take.When defining permission sets for objects, it is important to note that Company and Customer are considered top-level objects that control the default permission sets of lower-level objects. For example, if you assign a permission set to an agent that allows them to see the Customer object, you would want them to also see conversations with that customer, as well as pertinent information on the customer’s timeline, such as the order they are inquiring about. The default hierarchy on this top-level object will automatically allow this agent access to the Conversation object, as well as any defined custom objects. Note: While top-level objects are designed to control the permissions set on lower-level objects by default, you can override these settings by editing the permissions on lower-level objects.Related articles:Understand permission setsUse custom permission setsBest practices for permission sets

The first step in customizing a permission set is determining the access level you want to grant your users. The following three access levels are available:Access LevelExplanationAll AccessUser will have full access or visibility into this object or product area.Example: User has access to all conversations.No AccessUser will not have any access or visibility into this object or product area.Example: User cannot access conversations.Define what users can doYou can define exactly what your users can and cannot do within Kustomer. When duplicating a default permission set, these settings are inherited and will be pre-selected based on what is already selected in the existing default permission set. You can customize these settings to fit your organizational needs better. Note: These options are not selected when creating a new custom permission set since access to the platform is denied by default.PermissionDescriptionRead/ViewUser can only view the specified object or product area.Example: User can view customer data within the platform.CreateUser can create that type of object.Example: User can create a customer in the platform.UpdateUser can make updates on that object or within that product area.Example: User can edit any existing customer data.DeleteUser can perform deletions in the specified object or product area.Example: User can delete a customer profile.Attribute permissionsOnce you define the level of access a user has to a standard or custom object, you can also define whether a user can view or edit a particular attribute in the object. By default, users will have access to all of the attributes in an object that they can access.Define additional user actionsAlong with general permissions, you can assign access to additional actions a user can take on that object or specific product area. These actions are specific to the area you are creating the permission set for and are completely optional when creating a permission set. Object/AreaAdditional access toDescriptionCompanyShow Edit Company Attributes windowUser can access the Edit Company Attributes window. This setting requires Read access.CustomerMerge CustomersUser can merge customer profilesShow Edit Customer Attributes windowUser can access the Edit Customer Attributes window. This setting requires Read access.ConversationMerge/Split ConversationsUser can merge or split conversations.Redact MessagesUser can redact a message within a conversation. This is a permanent action.Forward ConversationsUser can forward a conversation to another user.Resend SurveyUser can resend a Satisfaction survey.Show Edit Conversation Attributes windowUser can access the Edit Conversation Attributes window. This setting requires Read access.Delete Comments in Social Media AppsUser can delete an Instagram comment from both Instagram and the customer's timeline.ReportingExport ReportsUser can export reporting data.View User PerformanceUser can view their personal performance metrics.View Team PulseUser can view the Team Pulse report (only available on Ultimate plans).SearchesExport SearchesUser can export search results.Global SearchUser has access to global search.Bulk ActionsUser has access to bulk actions, such as sending messages or bulk updating conversation attributes.Search Criteria PreviewUser can create and edit a search filter, but not save the search.You can also allow a user access to specific settings and management pages within the product. For example, you can provide the specific users in your organization who write help articles access to all of the Knowledge Base pages. Below is a list of the available settings and management pages to which you can allow additional access.Object/AreaSub-CategoryAdditional Access toAppsShopify ActionsReturn and Cancel actions from the Shopify Insight CardChannel ManagementSettings Pages for ChannelsContent ManagementKnowledge BaseAll Knowledge Base Settings PagesBrandsBrands Settings PageShortcutsShortcuts Settings PageTemplatesEmail Templates Settings PageProactive MessagingProactive Messaging Settings PageSnippetsSnippets Settings PageTagsTag Settings PageKlass ManagementKlassesKlass Settings PageKustomer IQConversation ClassificationConversation Classification Settings PageConversational AssistantsConversational Assistants Settings pageConversational Assistants IntentConversational Intents in the Conversational Assistants Settings pagePersonalAccountAccount Settings PageReportingReport Permissions Settings PageSearchesSearch Settings PageSecurityManage API Keys, Org Logging, and the Authentication Settings PageSystem SettingsOrganization and LocalizationGeneral Settings PageLocalization Settings PageConversation StatusConversation Status Settings PageQueues & RoutingQueues & Routing Settings PageWorkflowsWorkflows Settings PageBusiness RulesBusiness Rules Settings PageSLAsService Level Agreements Settings PageBusiness SchedulesBusiness Schedules Settings PageBillingBilling Settings PageAudit LogsAudit Logs Settings PageSatisfactionSatisfaction Settings PageUser ManagementUsersUsers Settings PageTeamsUsers Settings PageWebhooksInbound WebhooksInbound Webhooks Settings PageOutbound WebhooksOutbound Webhooks Settings Page

You can create custom permission sets within Kustomer that will allow you to assign access to key areas of the product to users and teams in your organization. For this article, we will create and assign a permission set that allows access to see and edit custom order information for a customer, but not delete it.Who can access this feature?User typesAdmins can access the Permission sets page.In this articleCreate a custom permission setChange the default object hierarchyPermission set processing timeCreate a custom permission setWhen creating a new permission set, you can start from either a blank or best practice template. We recommend using a best practice template, which comes preconfigured to allow access to areas in the platform that will users the most from Kustomer.Note: Using the Best Practice Template will not grant access to objects.To create a new permission set:Go to Settings and select Users > Permission Sets.Select Add Permission Set.Select Blank Template or Best Practice Template.Select Create Permission Set.Enter a name for the permission set. Optionally, enter a description.Determine the area of the product for which you are creating a permission Set. By default, access is denied to all objects and product areas until access is granted through a Permission Set, even if you selected to use the existing template. For this example, select Object Permissions.Select for the Customer object and specify the level of access you want to grant. Since we want users to have full access to this object, we will select All Access to Customers and then Read/View, Create, Update, and Delete.Optionally, select the Attribute Permissions tab to define the attributes that the user will be able to access. For more information, see Attribute level permissions.Select Save Changes.Since we defined the access level for Customer, which is a top-level object, confirm whether or not you want to apply the same access level to all lower-level objects. Since we do not want a user to have the ability to delete an order, select No, Don't Use Hierarchy.Note: If an attribute permission is changed to a permission set that differs from the object permissions, the attribute permission will be enforced for that attribute only. All object permissions will otherwise remain in place. You can grant access to all KObjects or individually. For this example, select Configure Individual KObjects from the drop-down menu.Select for KObject Order and define the level of access for it. Since we do not want users to have the ability to delete an order, select All Access to Order and then Read/View, Create, and Update.Select Save Changes.Note: Your permission set has not been applied across the system yet. See Permission set processing time for more information.Your updates are shown on the Edit Permission Set page and clearly indicate what you did or didn’t provide access to within objects and product area.To edit a permission set:Go to Settings and select Users > Permission Sets.Select the edit icon  for the permission set you want to change.Make your desired changes and select Save Changes.Your changes will take effect once the updates are applied throughout the system. Change the default object hierarchyCompany and Customer are considered top-level objects that, by default, control the permissions of lower level objects. Whenever you change the granted permissions in either of them, you will be asked if you want to apply the same level of access to all lower-level objects.If you do not want users to automatically have the same level of access in Conversations or KObjects that was granted in Customer, select No, Don't Use Hierarchy and then change the permission for either of these areas.Note: You must define a permission for either the Company or Customer object and allow All Access to either in order to define a permission on Conversation or KObjects.Permission set processing timeOnce a permission set is created and saved, it will start to process so that all changes can take affect across the system. How long this takes is dependent on how much data is in your system. Processing occurs when creating or editing permission set. While the permission set is processing, you will see an alert that indicates that this process is currently underway. Once a permission set is done processing, you will receive a Kustomer notification and an email informing you that this is complete and that the permission set can be applied. To apply it, navigate to the permission set and select Apply Permission.Then, select Yes, Apply to confirm the change.All of your changes are now live within the system, and all users and teams that were assigned this permission set now have the access they were given. You have 24 hours to revert the permission set to its current state. You can do so by selecting Revert to previous version.Once you apply the permission, you can assign it to a user or team.Related articles:User access within KustomerUnderstand permission setsPermission sets best practices

Once you have created a permission set, you can assign it to a user or team in your organization. Multiple permission sets can be assigned to the same user or team. When assigning multiple permission sets, it is important to remember that they are additive in the permissions that they grant. For more information, see Understand permission sets.Who can access this feature?User typesAdmins can access the User or Teams pages.To assign a permission set to a user or team:Go to Settings and select Users > Users or Teams.Select Edit for the user or team you want to apply the permission set to.Note: Only Full-Time users can be assigned to a permission set.Select the Permission Sets tab in their profile.Select Modify Permission Sets.Select the Custom Permission Set tab and then select the permission set you want to assign to this user or team from the list. You can select more than one permission set at a time.Select Apply.Once you have finished applying all permission sets to the user or team, select Save Changes.

Attribute level permissions lets you define the level of access a user in your organization will have to a specific attribute in both standard and custom objects. With attribute level permissions, you can prevent a user from seeing or possibly changing certain information, such as a customer's email address. Who can access this feature?User typesAdmins can access the Permissions sets page.In this articleChanging a user's access to an attributeRestricted attributes and searchRestricted attributes and shortcutsRequired Conversation attributesChanging a user's access to an attributeYou can control whether a user will be able to view or edit a particular attribute on an object. You can customize the level of access users will have to both standard and custom attributes.Note: Removing a user's Read access will automatically remove their edit access as well.Go to Settings > Users > Permission Sets.Create a new permission set or edit an existing one. Select Object Permissions and then an object. In this example, we are going to edit the permissions for the Customer object.Select the Attribute Permissions tab. Here, you will see a list of all of the attributes in the Customer object. By default, users will have access to all of the attributes in an object for which they have access.Note: Attributes that are heavily relied on in multiple areas of the platform, such as company and customer name, cannot have read access removed.Customize access to a specific attribute by selecting the Read or Edit checkboxes for it.Once you are done making your changes, select Save Changes.Restricted attributes and searchAny access changes you make to attributes will also affect if a user can see it when:Performing searches (global, merging customers, or moving conversations).Creating a bulk action.Creating an export.When a user with attribute level permissions uses global search, merge customer search, and move conversation search, they may see companies, customers, conversations, and custom objects (kobjects) returned that have an attribute value that they do not have access to read. This is because these searches take all attributes into account when searching. However, if a user doesn't have read access to that attribute, it will be hidden from the search results or when viewing the object in Kustomer. For example, let's say you have removed a user's read access to customer external IDs and they build a search query using an external ID such as, Customer Any Text is equal to ts123, the search will return the customer named Tom Smith and exclude the external ID attribute.If a user doesn't have read access to an attribute, they also won't be able to select it as a property when building a search query. Using the previous example, the user also won't be able to select External ID when using the search query builder.You can prevent users from using any of these searches using permission sets.Restricted attributes and shortcutsIf a user tries to use a shortcut in a draft and they don't have access to an attribute used in the shortcut, the shortcut won’t be available for them to select.Required Conversation attributesWhen adding attributes to the Conversation klass, you have the option of defining it as a required attribute that must be filled out before a conversation can be marked as Done. To ensure that agents don't find themselves in a situation where they can't close a conversation, attributes that are marked required can't have its permission set edited, and you cannot remove read or edit access for them. 

Your users will only have access to what they are granted access to via permission sets. For example, even if you don't want all of your team members to assist customers directly, you can still ensure that they have access to all the other areas of Kustomer they'd need to assist your customer service team.In this articleUser and Team ManagementAmazon ConnectShopify ActionsAdditional RecommendationsUser and Team ManagementWe recommend that you set both Users and Teams to Read/View access within User Management. Doing this will allow your users to:Assign a Conversation to another user or team.Have conversations routed to them if Routing is configured.Switch between their assigned teams to access their queues.View reports that are related to other users or teams.Build a workflow that assigns conversations to a specific user or team.Know which user wrote an outbound message or last updated a certain settings item, etc.Mention a user or team in a note.If Teams > Read/View access is not given to a user, they will not be granted permissions that are assigned to them via Team permissions.Important: Users and teams will also need access to the corresponding product area. For example, to build a workflow, a user will need Read/View access within User Management and Create access to Workflows.Amazon ConnectOrganizations with an Amazon Connect integration must ensure that users will have access to all incoming calls. It is recommended that all users and teams that respond to customer queries using Amazon Connect have the following access settings: Read/View & Create on all customers.Read/View & Create & Update on all conversations.Edit on the AssignedUsers Conversation field permission.Shopify ActionsOrganizations using the Shopify app integration may want to ensure that users can return and cancel orders directly within Kustomer. To do so, we recommend you give users the following Shopify access:All Access to Shopify actionsSelect the Run all actions (Return & Cancel) check boxAdditional Recommendations Below is a list of additional recommended permissions that will allow users in your organization to access product areas that will enable them to get the most from Kustomer.AreaRecommended AccessAllows users toKlass ManagementKlassesRead/ViewView custom attributes and KObject data. This is also required if users need access to view reports that show custom attribute or KObject data.Klass ViewsRead/ViewView Klass Views in the timeline.Content ManagementShortcutsRead/ViewUse shortcuts and shortcut categories in conversations.TemplatesRead/ViewUse email templates in conversations.SnippetsRead/ViewUse snippets and snippet categories in conversations.TagsRead/ViewUse tags in conversations.CreateCreate tags while in a conversation.SearchesRead/View & UpdateView and edit saved searches, as well as access reports that run searches.Global Searches turned on (Optional)Search globally within the organization.System SettingsConversation StatusRead/ViewUse custom snooze and sub-statuses in conversations.Queues & RoutingRead/View & UpdateHave queued items routed to them and set their routing status.Note: User should also have Read/View access to Teams.WorkflowsRead/View (Optional)See which workflow updated a conversation.Business RulesRead/View (Optional)See which business rule updated a conversation.SLAsRead/View (Optional)See the name of the SLA that is assigned to a conversation.SatisfactionRead/View (Optional)See how a customer responded to CSAT surveys in their timeline.Related ArticlesUser access within KustomerUnderstand permission setsUse custom permission sets