Feature Guide

Role-Based Access

Org Comms uses a three-tier permission model to ensure the right people have access to the right capabilities. From regular members who receive messages to super admins who manage the entire platform.

The Three Roles

member

Standard org members. Can read messages in their inbox, enable push notifications, manage their own settings, and install the PWA.

  • Read inbox
  • Push notifications
  • Account settings
admin

Organisation administrators who can create and send messages, manage groups and events, and view delivery analytics.

  • All member capabilities
  • Send & schedule messages
  • Manage groups & events
  • View delivery stats
super admin

Full platform control. Can manage users, assign roles, configure system settings, and impersonate other users for support.

  • All admin capabilities
  • Manage users & roles
  • System settings
  • User impersonation

Capabilities Matrix & User Management

Super admins can view and change user roles from the Users panel in the admin dashboard.

Capability Matrix

Role Capabilities Matrix
Capabilitysuper adminadminmember
Read inbox messages
Enable push notifications
Send broadcast messages
Schedule messages
Manage groups
Manage events
View delivery tracking
Manage users & roles
System settings
Impersonate users

Admin — User Management

orgcomms.app/admin/users
Users
Invite
KS
Kieran Saunders
kieran@org.com
super admin
AC
Alice Chen
alice@org.com
admin
BO
Ben Owens
ben@org.com
member

User Impersonation (super_admin only)

Super admins can impersonate any user account to diagnose issues or provide support. All impersonation sessions are recorded in an audit log (impersonationLogs table) and a visible banner is shown throughout the session to prevent accidental actions.

  • Every impersonation start and end is logged with timestamp and actor ID.
  • An orange banner is visible to the impersonating admin at all times.

How to change a user's role

1

Sign in as super_admin

Role management requires super_admin privileges. The first super admin is set via the SUPER_ADMIN_EMAIL environment variable.

2

Navigate to Admin → Users

The Users section lists all registered accounts with their current role.

3

Select a user

Click on a user to open their profile. From here you can change their role using the role selector.

4

Choose the new role and save

Select 'member', 'admin', or 'super_admin' and confirm. The change takes effect immediately on their next action.

Frequently Asked Questions

How is the first super admin set up?

Set the SUPER_ADMIN_EMAIL environment variable in the Convex dashboard before first launch. The user who registers with that email address is automatically granted super_admin status.

Can an admin promote another user to admin?

No. Only super_admin users can change roles. Regular admins can manage groups, events, and messages, but cannot alter user permissions.

What happens to a user's content if they are demoted?

Existing messages and records are not affected by role changes. The user simply loses the ability to perform privileged actions going forward.

How does Better Auth integrate with the role system?

Org Comms uses the Better Auth admin plugin which extends the session with role information. The Convex backend validates the user's role on every mutation using the session token.

Can I invite new members directly to a role?

When sending an invite, super admins can choose the target role. Invites are sent via email (Resend integration) and contain a sign-up link that pre-assigns the chosen role.