Skip to main content

Roles and Permissions

What are roles?

Roles are the backbone of the Breeze platform. They control what each person can see and do in the system—from ordering an ID card to managing entire organizations. Think of roles as your access control system, but much more flexible and powerful than traditional permission models.

The role system in Breeze is designed to be dynamic and adaptable. Whether you're a small organization with a few administrators or a large enterprise managing multiple tenants across different sites, roles can be combined and configured to match your exact needs. This means you can create the perfect permission setup for your workflow, not the other way around.

Each role has a clear purpose and comes with specific capabilities. When you understand what each role does, you can confidently assign the right permissions to the right people—ensuring everyone has access to what they need, nothing more, nothing less.

General roles

These are the main permission levels in Breeze. Think of them as your foundation—they determine the overall scope of what someone can do.

System Admin (systemAdmin)

What it means: System Admins are the architects of your Breeze setup. They control production sites and system-wide settings, manage card template layouts, domains, user groups, and production workflows. If it affects how the system works across all sub-tenants, a System Admin manages it.

What they can do:

  • Access Templates, Production, and Domain Administration modules
  • Create and update card templates, configure card layouts
  • Set template field rules and translations
  • Manage user groups
  • Configure domain-level features (AMR transfer, mobile credentials, local production)
  • Control order states
  • Download Credential data exports
  • Mark orders as shipped/invoiced
  • Remove photo backgrounds in bulk
  • Manage quality check workflows
  • Configure production site settings
  • Manage number ranges across tenants
  • Access production job lists
  • Configure external data sources

Who should get this: Production site managers, template designers, and system operators who handle production workflows, template design, and system configuration.

Super Administrator (superAdmin)

What it means: Super Administrators manage orders, tenant configuration, user groups, and production operations. They control order workflows, tenant features, and can operate production when they have the appropriate task role. They're the power users who keep everything running smoothly at the tenant level.

What they can do:

  • Access Tenant Settings, Order History, and Production modules
  • Prepare orders for production from the pending production list
  • Cancel orders
  • Change order states (shipped, invoiced, partly shipped)
  • Enable tenant features (local production, mobile credentials, Duo ID)
  • Configure tenant delivery settings
  • Manage user groups
  • View users in user groups
  • Access tenant statistics dashboard
  • Operate production (mark Credentials as produced, update production data) when they have the productionOperator task role
  • Manage tenant product availability
  • Configure tenant checkout flows
  • Manage tenant approvals settings

Who should get this: Order managers, tenant administrators, production operators, and those who configure order workflows and tenant settings.

Administrator (admin)

What it means: Administrators handle the day-to-day administration for an organization (tenant). They manage users, Credentials, and approvals within their organization. This is the go-to role for people who keep things organized and running on a day-to-day basis.

What they can do:

  • Access Users, Credentials, and Approvals pages
  • Activate/deactivate Credentials that are connected to access systems
  • View and edit Credential details
  • Modify Credential data (with dataChangeOperator role)
  • Manage users (invite, assign roles, modify user groups, activate/deactivate, move between tenants with userAdministration role)
  • Approve/reject Credential requests and Duo ID submissions (with approver role)
  • View order history (with viewOrderHistory role)
  • Create identities (with identityCreator role)
  • Manage number ranges for their tenant (with numberRangeAdmin role)
  • Access the My Requests page to handle pending approvals

Who should get this: Local administrators in each organization or department.

User (user)

What it means: Users are the people who actually use the system to order and manage their own Credentials. They can create Credentials and manage their own information. This is the standard role for anyone who needs an ID card.

What they can do:

  • Access Cart, My Orders, and My Profile pages
  • Create and submit Credential requests through the checkout process
  • Upload photos and signatures
  • Track Credential status in My Orders
  • View Credential previews
  • Complete Duo ID registration forms
  • Upload photos via webcam or file upload
  • Manage delivery addresses
  • View order tracking information
  • Access personal sign-in history

Who should get this: Staff members who need ID cards or mobile IDs.

Task roles

Task roles are specialized permissions that give people specific capabilities beyond their general role. Think of them as add-ons that let you fine-tune what someone can do. Task roles are organized by the minimum role level required to have them.

Quality Inspector (qualityInspector)

Required role level: systemAdmin

What it means: Quality Inspectors are the final checkpoint before cards ship. They inspect physical cards after production, approving cards that pass quality checks or rejecting them back to production. This role keeps quality standards high.

What they can do:

  • View the Quality Check page in Production module
  • Review produced cards in "quality_check" status
  • Use the "Quality check" button on individual Credentials
  • Approve cards that are correct (moves them to "produced" status)
  • Reject cards that have issues (sends them back to "in_production" with a rejection reason)
  • Access batch quality check dialogs for batch orders
  • View credential previews during quality inspection

Who should get this: Quality assurance staff at production sites who verify cards before they're shipped.

Warehouse Operator (prodSiteWarehouse)

Required role level: systemAdmin

What it means: Warehouse Operators manage order fulfillment and shipping at a production site. They control when orders are marked as shipped and can add items to orders. They're the people who make sure orders get out the door.

What they can do:

  • Access order detail pages
  • Use "Mark as Shipped" and "Mark as Partly-Shipped" buttons on orders in "packing" status
  • Add items to existing orders using the "Add product" button
  • Download delivery lists
  • View and manage order delivery details
  • Manage order states related to delivery and shipping

Who should get this: Warehouse and dispatch staff at production facilities.

Invoicing Operator (prodSiteInvoice)

Required role level: systemAdmin

What it means: Invoicing Operators mark orders for invoicing at a production site. They record billing information for completed orders and make sure the financial side of production is handled correctly.

What they can do:

  • Access order detail pages
  • Use "Set status: Invoiced" button on orders
  • Set invoice dates and references in the invoice details section
  • View invoice reference information
  • Calculate billing basis for orders
  • Mark completed orders as ready for invoicing

Who should get this: Finance staff at production sites who handle invoicing.

Production - Create Layouts (prodLayoutCreator)

Required role level: systemAdmin

What it means: Layout Creators design and maintain card template layouts. They create the visual design that appears on physical ID cards. This is where the look and feel of your cards comes from.

What they can do:

  • Access Templates → Card Layouts
  • Create new card layouts using CardSDK Designer
  • Copy layouts between tenants
  • Edit front and back page layouts
  • Configure field placements and order
  • Set image rules (photo placement, aspect ratios)
  • Configure background removal settings (transparent or color modes)
  • Manage template field rule sets
  • Set logo placements and sizes
  • Configure text styling and translations
  • Preview layouts before saving

Who should get this: Graphic designers and print specialists who design ID cards.

Manage Templates - Mobile Credential (tplMobileCredential)

Required role level: systemAdmin

What it means: This role manages mobile ID templates and mobile provider connections. They control how mobile IDs are issued and synced with mobile providers. If you're using mobile credentials, this person makes sure everything stays connected.

What they can do:

  • Access Templates → Mobile Credential Templates page
  • Create and update mobile Credential templates
  • Configure mobile provider connections (STid, etc.)
  • Test mobile provider connections using "Check Connection & Credits" button
  • Trigger manual syncs using "Sync now" button
  • Configure sync schedules (cron strings)
  • Set provision methods and sync settings
  • Manage duplicate vCard handling strategies
  • Configure sync image settings
  • View mobile credential status and sync history
  • Configure mobile ID template field settings

Who should get this: Mobile ID administrators who set up and maintain mobile Credential templates.

Manage Templates - AMR Requests (tplAmrRequest)

Required role level: systemAdmin

What it means: AMR Request template managers configure how Credential data is sent to access control systems (AMR - Access Management Requests). They control what data is sent when Credentials are activated. This is the bridge between Breeze and your access control systems.

What they can do:

  • Access Templates → AMR Request Templates page
  • Create and update AMR request templates
  • Configure which Credential fields are sent to access systems
  • Set field mappings using the field mapping editor
  • Configure email recipients and templates for AMR requests
  • Set approval requirements for access requests
  • Test AMR request configurations
  • View AMR request template details
  • Manage AMR request template availability

Who should get this: IT staff who integrate Breeze with access control systems (door readers, parking systems, etc.).

Domain Administrator (domainAdministrator)

Required role level: systemAdmin

What it means: Domain Administrators manage domain-level features and integrations. They enable advanced features and connect external data sources. They're the ones who unlock new capabilities for the entire domain.

What they can do:

  • Access Domain Administration module
  • Enable/disable AMR transfer features for the domain
  • Enable/disable mobile credentials feature
  • Enable/disable local production feature
  • Enable/disable external data sources feature
  • Enable/disable Duo ID feature
  • Configure domain-level feature settings
  • Manage AMR Transfer Templates at domain level
  • Configure external data sources that can feed into templates
  • Manage domain-level approvals settings
  • Configure domain default settings for tenants

Who should get this: IT administrators at the domain level who configure integrations and enable platform features.

Product Maintainer (productMaintainer)

Required role level: systemAdmin

What it means: Product Maintainers keep the product catalog up to date. They define what card types, encoding options, and services are available when people order Credentials. They're the ones who make sure the right products are available at the right time.

What they can do:

  • Access Product Administration page
  • Create new products with product details forms
  • Update product definitions (card types, encoding, printing options)
  • Set product pricing and availability
  • Manage product availability in domains
  • Configure transportation methods for products
  • Set product descriptions and previews
  • Deactivate products when they're no longer available (with confirmation dialog)
  • Manage domain default products
  • View product usage across tenants

Who should get this: Product managers or operations staff who maintain the catalog of available Credential products and services.

Data Exporter (dataExporter)

Required role level: systemAdmin

What it means: Data Exporters generate reports by exporting Credential and access group data. They create the data exports needed for reporting and compliance. When you need to analyze what's happening or prove compliance, this role has you covered.

What they can do:

  • Access Credentials list page
  • Use "Download to Excel" button to export Credential data
  • Export search results with filters applied
  • Export access group information from Access Control pages
  • Generate compliance reports with Credential details including production dates and status
  • Export data with custom field selections
  • Download CSV files with Credential information for analysis

Who should get this: Analysts, compliance officers, and auditors who need to export Credential data.

Tenant Statistics (tenantStatistics)

Required role level: superAdmin

What it means: This role provides read-only access to analytics and usage data for tenants. People with this role can view statistics and metrics but can't make changes. Perfect for leadership and analysts who need insights without access.

What they can do:

  • Access Tenant Statistics page
  • View usage dashboards with charts and metrics
  • See tenant activity statistics (credentials ordered, produced, users created, tenants created)
  • View performance metrics and trends
  • Filter statistics by date ranges
  • View statistics across multiple tenants
  • Export statistics data

Who should get this: Leadership, analysts, or auditors who need to review tenant usage data.

Tenant Creation (tenantCreation)

Required role level: superAdmin

What it means: Tenant Creators set up new organizations (tenants) in the system. They provision new organizations with default settings and get them ready to use. They're the first step in onboarding new organizations.

What they can do:

  • Access Tenants page
  • Use "Create a new tenant" button
  • Fill out tenant creation form with tenant name, description, and settings
  • Set up default configuration for new organizations (delivery settings, features, products)
  • Assign initial administrators and user groups
  • Configure tenant contact information
  • Save new tenant to the system

Who should get this: Platform onboarding staff who set up new organizations in Breeze.

Tenant Deletion (tenantDeletion)

Required role level: superAdmin

What it means: Tenant Deletion role holders safely retire and remove tenants from the system. They handle tenant decommissioning following proper policies. This is a sensitive role that should be carefully managed.

What they can do:

  • Access tenant detail pages
  • Use tenant deletion functionality (when available)
  • Delete tenants that are no longer needed through confirmation dialogs
  • Perform tenant cleanup following policy
  • Verify tenant dependencies before deletion

Who should get this: Platform offboarding staff who handle tenant retirement.

Production Operator (productionOperator)

Required role level: superAdmin

What it means: Production Operators handle the physical production of ID cards. They mark Credentials as produced and update production information. These are the people who actually make the cards happen.

What they can do:

  • Access Production → Produce page
  • View credentials ready for production
  • Select credentials to produce
  • Use "Produce Credential" button on individual credentials
  • Mark credentials as produced after printing/encoding through production dialogs
  • Update production dates and device information
  • Upload card preview images (front and back)
  • Edit photos during production
  • Modify credential data in production mode
  • Print carrier-only when applicable
  • View production job lists
  • Use batch production features with delay settings

Who should get this: Print room operators, card encoding technicians, and production staff who physically create ID cards.

Access Controller (accessController)

Required role level: admin

What it means: Access Controllers manage access groups that control which Credentials can access which resources. They control access permissions for Credentials in access control systems. This role connects your cards to your access control systems.

What they can do:

  • Access Access Control pages (when available)
  • Create and manage access groups through access group management interfaces
  • View access group usage and membership
  • Configure which Credentials belong to which access groups (indirectly, by managing access group definitions)
  • View access right assignments
  • Manage access group settings

Who should get this: Security administrators who manage access permissions for Credentials in access control systems.

User Administration (userAdministration)

Required role level: admin

What it means: User Administrators manage user accounts and role assignments. They control who has access to Breeze and what they can do. They're the gatekeepers of access in your organization.

What they can do:

  • Access Users page
  • Use "Create a new User" button to invite users via email
  • Open user profile pages
  • Modify user roles through "Modify user roles" drawer (assign base roles and task roles)
  • Add/remove users from user groups
  • Activate/deactivate user accounts using action buttons
  • Re-activate deactivated users
  • Delete user accounts (with email confirmation)
  • Move users between tenants (when available)
  • Send activation emails
  • Resend activation links
  • View user sign-in history

Who should get this: Tenant administrators or helpdesk supervisors who manage user access.

Identity Creator (identityCreator)

Required role level: admin

What it means: Identity Creators create and maintain person profiles (identities) that Credentials are linked to. They set up the person records that Credentials represent. They build the foundation that Credentials are built on.

What they can do:

  • Create new identities (person profiles) through identity creation forms
  • Update identity information in credential data collections (names, photos, contact details)
  • Upload person photos and signatures
  • Edit person details in Credential edit dialogs
  • Link Credentials to identities when creating credentials
  • Manage identity data before credential issuance

Who should get this: HR staff, helpdesk teams, or administrators who create person records before Credentials are issued.

Number Range Administration (numberRangeAdmin)

Required role level: admin

What it means: Number Range Administrators manage numbering sequences used for Credentials. They control how Credentials get their unique numbers. This role ensures every Credential follows your organization's numbering scheme.

What they can do:

  • Access Number Ranges page
  • Create and configure number range templates
  • Set number prefixes, suffixes, and site codes
  • Configure incremental steps and minimum lengths
  • Set version number starting points
  • Whitelist tenants to use specific number ranges through tenant selection
  • View next unused numbers
  • Manage number range formulas
  • View tenants using each number range
  • Remove number ranges from tenant whitelists

Who should get this: Operations staff responsible for ensuring Credentials follow the correct numbering scheme.

Approver (approver)

Required role level: admin

What it means: Approvers review and approve Credential requests and Duo ID submissions. They control whether Credentials proceed to production. They're the quality gatekeepers who make sure requests meet standards before cards are made.

What they can do:

  • Access Approvals page and My Requests page
  • View pending approval requests in approval review dialogs
  • Use "Approve" and "Reject" buttons on approval items
  • Review credential previews during approval
  • Reject requests with rejection reasons through rejection dialog
  • Approve Duo ID submissions when collaborators submit their details
  • View Duo ID approval review dialogs with credential previews
  • Resend Duo ID invitation emails using "Send Duo ID request to end-user again" button
  • Navigate between pending items in approval workflows
  • View approval request history and status

Who should get this: Managers, supervisors, or designated approvers who must sign off on Credential requests before production.

View Order History (viewOrderHistory)

Required role level: admin

What it means: This role provides read-only access to historical order information. People with this role can view past Credential orders but can't create or modify them. Perfect for people who need to review history without making changes.

What they can do:

  • Access Order History page
  • View past orders in order list
  • Filter orders by date range or status using filters
  • Open order detail pages to see order details and history
  • View order items and delivery information
  • See order status timeline
  • Download order information
  • View order tracking details (read-only, cannot modify orders)

Who should get this: Finance staff, auditors, or team leads who need to review order history but don't need to create or modify orders.

Data change operator (dataChangeOperator)

Required role level: admin

What it means: Data Change Operators update Credential data after creation. They make controlled corrections to Credential information when needed. This role is for fixing mistakes and keeping data accurate.

What they can do:

  • Access Credential detail pages
  • Use "Modify Credential Data" button on credentials
  • Open credential data modification dialogs
  • Update data collections linked to credentials (person names, photos, contact details)
  • Edit person information fields
  • Upload new photos to replace existing ones
  • Correct errors in credential data through edit forms
  • Make approved data changes with confirmation
  • View credential modification history

Who should get this: Senior operators who are authorized to make data corrections when mistakes are discovered or updates are needed.

How role assignment works

Understanding how roles are assigned helps you plan your access control strategy. Here's how it works:

Who can assign roles?

To grant any role or task role, the acting user must:

  • Have role level: admin or higher
  • Have task role: userAdministration
  • Not assign a role with higher priority than their own (you can only grant roles at or below your own priority level)
  • Perform the action within the correct tenant context

Minimum role requirements for task roles

Task roles are assigned based on priority values. You must have at least the role level with a priority equal to or higher than the task role's priority to receive it:

  • Task roles with priority 201 require: systemAdmin (priority 100) or higher
  • Task roles with priority 401–410 require: superAdmin (priority 400) or higher
  • Task roles with priority 501 require: admin (priority 500) or higher

This ensures that people can only assign roles that match or are below their own level, maintaining proper security and access control throughout the system.