Doposta
LoginStart Free Trial
Back to Blog
Security & Compliance

RBAC for Email Platforms: Managing Team Permissions at Scale

DoPosta Team
February 6, 2026
10 min read

RBAC for Email Platforms: Managing Team Permissions at Scale


As email marketing teams grow, permission management becomes critical. A junior marketer shouldn't have the same access as the infrastructure team. An agency client shouldn't see other clients' campaigns. A finance manager needs billing access without campaign control.


DoPosta's **Role-Based Access Control (RBAC)** system provides 110 granular permissions across 7 default roles, plus unlimited custom roles for precise access management.


The Problem with Simple Permissions


Most email platforms offer only 2-3 permission levels: Admin, User, and maybe Viewer. This creates three problems:


**Over-privileged users**: Junior marketers get admin access because "they need to create campaigns." Now they can accidentally delete the entire customer list or modify server settings, causing deliverability disasters.


**Under-privileged users**: Finance needs to see billing but you don't want them accessing campaigns. No middle ground exists, so you share admin passwords or create manual workarounds.


**No audit trail**: When something goes wrong (a campaign deleted, settings changed, contacts exported), you can't determine who did it because everyone shares the same admin account.


Enterprise email operations need granular control. DoPosta's RBAC solves this.


DoPosta's 110 Permissions


DoPosta divides platform access into 110 specific permissions across 11 categories:


Campaign Permissions (18 permissions)

  • **campaigns.view** - View campaign list and details
  • **campaigns.create** - Create new campaigns
  • **campaigns.edit** - Modify existing campaigns
  • **campaigns.delete** - Delete campaigns
  • **campaigns.send** - Send or schedule campaigns
  • **campaigns.duplicate** - Clone campaigns
  • **campaigns.pause** - Pause running campaigns
  • **campaigns.resume** - Resume paused campaigns
  • **campaigns.viewStats** - View campaign analytics
  • **campaigns.exportStats** - Export analytics data
  • **campaigns.viewContent** - See email content/code
  • **campaigns.editContent** - Modify email content
  • **campaigns.manageTemplates** - Create/edit templates
  • **campaigns.viewABTests** - View A/B test results
  • **campaigns.createABTests** - Set up A/B tests
  • **campaigns.approveReview** - Approve campaigns for sending
  • **campaigns.bypassReview** - Send without approval
  • **campaigns.viewDrafts** - See draft campaigns

    • Contact List Permissions (15 permissions)

  • **lists.view** - View lists and segments
  • **lists.create** - Create new lists
  • **lists.edit** - Modify list details
  • **lists.delete** - Delete lists
  • **lists.import** - Import contacts
  • **lists.export** - Export contacts
  • **lists.viewContacts** - See contact details
  • **lists.addContacts** - Add individual contacts
  • **lists.editContacts** - Modify contact data
  • **lists.deleteContacts** - Remove contacts
  • **lists.createSegments** - Build segments
  • **lists.viewSegments** - View segment criteria
  • **lists.editSegments** - Modify segments
  • **lists.manageCustomFields** - Create/edit custom fields
  • **lists.viewSuppression** - See suppression lists

    • Server & Infrastructure (12 permissions)

  • **servers.view** - View server list
  • **servers.create** - Add servers
  • **servers.edit** - Modify server settings
  • **servers.delete** - Remove servers
  • **servers.viewCredentials** - See SMTP credentials
  • **servers.editCredentials** - Modify credentials
  • **servers.testConnection** - Run connection tests
  • **servers.viewLogs** - Access server logs
  • **servers.managePMTA** - Configure PowerMTA
  • **servers.manageIPs** - IP pool management
  • **servers.configureRouting** - Set routing rules
  • **servers.manageSSL** - SSL/TLS configuration

    • Analytics & Reporting (10 permissions)

  • **analytics.viewDashboard** - See main dashboard
  • **analytics.viewReports** - Access all reports
  • **analytics.createReports** - Build custom reports
  • **analytics.exportReports** - Download report data
  • **analytics.viewRevenue** - See revenue metrics
  • **analytics.viewEngagement** - Engagement analytics
  • **analytics.viewDeliverability** - Delivery/bounce rates
  • **analytics.viewGeo** - Geographic analytics
  • **analytics.viewDevice** - Device analytics
  • **analytics.viewRealTime** - Real-time monitoring

    • User Management (9 permissions)

  • **users.view** - View user list
  • **users.create** - Add new users
  • **users.edit** - Modify user details
  • **users.delete** - Remove users
  • **users.assignRoles** - Change user roles
  • **users.viewActivity** - See user activity logs
  • **users.manageTeams** - Create/edit teams
  • **users.resetPassword** - Force password resets
  • **users.impersonate** - Log in as another user

    • Plus 56 more permissions covering: Billing (8), API Access (7), Webhooks (6), Automation (12), Compliance (8), Templates (7), Domains (6), and Integrations (6).


    The 7 Default Roles


    DoPosta provides 7 pre-configured roles that cover 90% of use cases:


    1. Super Admin

    **All 110 permissions** - Complete platform control including billing, user management, server configuration, and all campaign operations. Typically 1-2 people per organization.


    2. Admin

    **98 permissions** - Full campaign and operational control but cannot manage billing or delete other admins. Can add users, configure servers, manage all campaigns. For trusted team leaders.


    3. Campaign Manager

    **45 permissions** - Create, edit, send, and analyze campaigns. Manage lists and contacts. View but not edit server settings. Cannot access billing or user management. For senior marketers.


    4. Campaign Creator

    **28 permissions** - Create draft campaigns, edit templates, manage assigned lists. Cannot send campaigns (must submit for approval) or access analytics beyond their own campaigns. For junior marketers.


    5. Analyst

    **22 permissions** - View-only access to all analytics, reports, and campaign performance. Export data. No campaign creation or editing. For data teams.


    6. Developer

    **34 permissions** - Full API access, webhook configuration, server testing, integration management. View campaigns and lists. No campaign sending. For technical integrations.


    7. Billing Manager

    **15 permissions** - View and manage billing, subscriptions, invoices, and usage reports. No campaign or contact access. For finance teams.


    Creating Custom Roles


    Beyond default roles, create unlimited custom roles for specific needs:


    **Agency Client Role**: Create a role with only campaigns.view, campaigns.viewStats, lists.view for a single assigned workspace. Clients see their campaigns and data, nothing else.


    **Content Editor Role**: Grant campaigns.viewContent, campaigns.editContent, campaigns.manageTemplates without send permissions. Copywriters edit content, marketers handle sending.


    **Compliance Officer Role**: Provide campaigns.view, lists.viewSuppression, analytics.viewDeliverability, users.viewActivity to monitor compliance without operational access.


    **Seasonal Contractor Role**: Temporary role with campaigns.create, lists.import for a specific workspace and time period. Automatically expires after campaign season.


    Permission Inheritance & Teams


    DoPosta's RBAC supports **team-based permissions** for complex organizations:


    Create teams (e.g., "E-commerce Team", "Newsletter Team", "Transactional Team"). Assign each team a workspace with dedicated lists, campaigns, and servers. Users inherit base permissions from their role, plus team-specific overrides.


    Example: A Campaign Creator role typically can't access billing. But for the "E-commerce Team Lead," override billing.view to see team-specific usage without accessing company-wide billing.


    Multi-Workspace Isolation


    For agencies or enterprises with separate business units, **workspace isolation** provides complete data separation:


  • User "john@agency.com" has Admin role in "Client A" workspace
  • Same user has Analyst role in "Client B" workspace
  • Cannot see campaigns, lists, or data across workspaces
  • Super Admins can access all workspaces

    • Each workspace has independent: contact lists, campaigns, templates, servers, API keys, billing, and analytics. One DoPosta account, complete client isolation.


    Audit Logging


    Every permission-gated action generates an audit log entry:


  • **Who**: User ID and name
  • **What**: Specific action (e.g., "campaigns.delete")
  • **When**: Timestamp with timezone
  • **Where**: IP address and user agent
  • **Details**: Which campaign/list/server was affected

    • View logs in the Admin dashboard or export for compliance reporting. Filter by user, action type, date range, or resource. Meets SOC 2, GDPR, and HIPAA audit requirements.


    API Key Permissions


    API keys inherit the same RBAC system. When generating an API key, select which permissions it has. Create:


  • **Read-only analytics key** for dashboards (analytics.viewDashboard, analytics.viewReports)
  • **Send-only key** for transactional emails (campaigns.send, lists.viewContacts)
  • **List management key** for integrations (lists.import, lists.addContacts, lists.createSegments)
  • **Full access key** for administrative automation (selectively grant permissions)

    • Rotate keys independently. Revoke compromised keys without affecting other integrations.


    Best Practices for RBAC Implementation


    Start with Default Roles

    Don't create custom roles immediately. Use defaults for 2-4 weeks to understand actual needs. Customize based on real friction points.


    Principle of Least Privilege

    Grant minimum permissions needed for each role. It's easier to add permissions when users request them than to remove over-privileged access later.


    Regular Permission Audits

    Quarterly, review all users and roles. Remove inactive users. Adjust roles as responsibilities change. Export user permission report for compliance.


    Use Teams for Scaling

    As you add users, organize by teams instead of individual permission overrides. Maintains consistency and simplifies management.


    Monitor Privileged Actions

    Set up alerts for sensitive permissions: user deletion, server credential changes, large contact exports, API key generation. Review these actions weekly.


    Document Custom Roles

    When creating custom roles, document the use case and intended audience. Prevents permission creep ("why does this role have server access?").


    Test New Roles in Staging

    Before assigning a new custom role to production users, test it in a staging workspace to ensure it has exactly the needed permissions.


    Common RBAC Scenarios


    **Scenario 1: Agency with 20 clients** - Create 20 workspaces. Assign Account Managers as Admins per workspace. Create "Client View" custom role (view-only campaigns and analytics). CEO has Super Admin across all workspaces.


    **Scenario 2: Enterprise with regional teams** - Create workspaces for NA, EMEA, APAC. Campaign Managers can operate within their region. Global marketing director has Analyst role across all regions for reporting.


    **Scenario 3: E-commerce with separation of duties** - Marketing team has Campaign Manager role. Compliance officer has custom role (view-only campaigns + full suppression list access). Developers have Developer role with API access.


    **Scenario 4: Small startup** - Founder has Super Admin. Two marketers have Campaign Manager. External designer has custom role (template editing only, no list or campaign access).


    Security Considerations


    RBAC is only effective with strong authentication:


  • **Enforce 2FA** for all users with campaign sending permissions
  • **Require 2FA** for Super Admin and Admin roles (mandatory in DoPosta)
  • **Set session timeouts** (DoPosta defaults to 12 hours, configurable down to 1 hour)
  • **IP whitelisting** for API keys with elevated permissions
  • **Rotate API keys** every 90 days for production integrations

    • Pricing & Availability


    DoPosta's full RBAC system is available on all paid plans:


  • **Starter Plan**: 5 users, 7 default roles only
  • **Professional Plan**: 25 users, unlimited custom roles, team support
  • **Enterprise Plan**: Unlimited users, workspace isolation, advanced audit logging, SSO integration

    • Free trial includes full RBAC for testing.


    Migration from Simple Permissions


    Moving from a platform with basic permissions? DoPosta's migration wizard:


    1. **Audit current access** - Export current user list with roles

    2. **Map to DoPosta roles** - Wizard suggests role mappings

    3. **Review sensitive permissions** - Highlights users who will lose/gain critical permissions

    4. **Staged rollout** - Migrate in phases (admins first, then others)


    Conclusion


    Email platform security starts with proper access control. DoPosta's 110-permission RBAC system with 7 default roles, unlimited custom roles, and team-based management provides enterprise-grade security without complexity.


    Stop sharing admin passwords or over-privileging users. [Start your DoPosta trial](/register) and implement proper access control in 15 minutes.


    [View full permission documentation](/features) or [contact our security team](/contact) for SSO and compliance questions.


    Ready to Transform Your Email Marketing?

    Start your free trial today. Experience all the features mentioned in this post.

    Start Free Trial