The Deskpro agent permissions system is designed to give admins granular control over what agents can see and do in the helpdesk. In this article, we'll explain how you can set up permissions for various different situations.

Basic concepts

Each agent account has a set of permissions which grant access to different functions.

Under Admin > Agents > Agent Profiles you can grant permissions to each agent individually:

Agents also have department permissions. There are two levels of department permission:

• Full access - means that agents has full visibility over tickets in a department

• Can assign to - means agents can assign tickets to the department, but not have visibility over the ticket once assigned to it.

Permission Groups

To save time applying permissions to agents, you can create permission groups which will grant permissions to multiple agents at once. A permission group stores a set of permissions, and when you add an agent to the group, the agent is granted all those permissions. You can add an agent to more than one permission group.

There are two built-in permission groups: 

•  All Permissions - Agents in this group will have full access to the agent interface, including access to all ticket departments.
• All Non-Destructive Permissions -  Agents that are in this group will have nearly full access to the agent interface, including access to all ticket departments. The only permissions that this group does not grant are those which allow certain destructive actions, such as irreversible delete operations.

Permissions are additive

The key concept to remember is that permissions are always additive, whether you grant them through the agent's individual account or by adding the agent to a permission group.

If you add an agent to 3 different permission groups, they will have every permission that is granted by any one of their groups.

You can't take away a permission on an agent's individual account that's been granted from a permission group. For example, here's the profile of an agent who's a member of the All Non-Destructive Permissions group. 

The permissions granted through the group are shown as locked; you can't remove them individually (because permissions are additive) - so if you wanted this agent not to be able to create new tickets, you'd have to remove them from the permission group altogether.

However, you can add extra permissions to an individual agent's account. Because it's not granted through a permission group, it's considered a permission override.

Managing permissions with only a few agents

The point of permission groups is to make it quicker to edit large numbers of agents.

If you only have a few agents who need widely different permissions, there is no need to set up permission groups. It's quicker just to edit permissions on each agents' profile.

If you have a small number of agents who all need the same custom permissions, you could add them all to the same custom permission group. That way, if you decide to change your permissions policy, you can change all of them at once.

Separate permission levels and department access

Suppose your helpdesk is divided up like this:

• Different agents may need access to one or more of three departments: Sales, Support and Accounts

• Agents include:

  • Trainees who need limited permissions

  • Standard employees who need more permissions

  • Managers who need all permissions.

Clearly, it's impractical to make groups for Sales Trainee, Support Trainee, Accounts Trainee, Sales & Support Trainees etc.

A better way to implement this would be to set up a "Sales Dept Access" permission group that only grants Sales department access, and nothing else:

Then do the same for the Support and Accounts departments, etc.

Then set up a Trainee permission group, a Standard permission group and a Managers permission group.

This lets you apply permissions like this: