Roles & permissions
Maddict has three roles. Your role determines which surfaces you can open and which actions you can take. Permissions are enforced on the server, not just hidden in the interface.
The three roles
Section titled “The three roles”| Role | Scope | Primary surface |
|---|---|---|
| Dashboard user (analyst) | One agency | /dashboard |
| Agency admin | One agency | /dashboard (+ team management) |
| Platform admin (Maddict staff) | The whole platform | /admin |
What each role can do
Section titled “What each role can do”| Capability | Dashboard user | Agency admin | Platform admin |
|---|---|---|---|
| Browse the catalogue | ✅ | ✅ | — |
| Build, save, compare, export audiences | ✅ | ✅ | — |
| Use the AI draft assistant | ✅ | ✅ | — |
| Manage own profile & password | ✅ | ✅ | ✅ |
| Invite / remove teammates | — | ✅ | — |
| Assign roles within the agency | — | ✅ | — |
| See the agency’s plan usage | — | ✅ | — |
| Provision & suspend agencies | — | — | ✅ |
| Set tiers, seat caps, validity | — | — | ✅ |
| View the platform audit log | — | — | ✅ |
Platform admins operate the platform; they don’t work inside an individual agency’s audiences. Building audiences is the job of dashboard users and agency admins.
The platform back-office is invisible to others
Section titled “The platform back-office is invisible to others”The back-office at /admin is gated to the platform-admin claim. For anyone
without it, the route returns a 404 — it doesn’t just deny access, it doesn’t
reveal that the surface exists at all. See Platform back-office.
Access is checked on every request
Section titled “Access is checked on every request”A valid login is not enough on its own. On each request Maddict verifies that you:
- are an active member of the agency whose data you’re touching,
- have a role that permits the action, and
- are within your agency’s entitlements.
So a suspended user, a removed member, or an expired agency can’t reach tenant data even with working credentials. The database backs this up with row-level security — see Tenant data isolation.