ISP RBAC & Permission Management — Secure Access for Every User
Implement granular role-based access control for your ISP. Create custom roles, assign permissions per module, and enforce least-privilege access across partners and employees.
Quick answer
Not every employee needs access to billing. Not every partner should see network settings. NowaCRM's Role-Based Access Control (RBAC) lets you define exactly what each user type can see and do — with granular permissions per module, tenant-scoped roles, and hierarchy-enforced isolation.
Custom Role Creation
Create roles tailored to your ISP operations — Billing Executive, Field Technician, Collection Agent, Network Admin, Support Lead. Each role is a collection of permissions. Roles are tenant-scoped — each ISP defines its own roles independently. No limit on the number of roles or permission combinations.
Granular Module Permissions
Permissions are defined per module and action: subscribers.view, subscribers.create, subscribers.edit, billing.invoices.generate, network.nas.manage, tickets.assign. Over 50 permission points cover every aspect of the platform. Assign exactly the permissions each role needs — no more, no less.
Hierarchy-Based Access
RBAC works within the partner hierarchy. A partner's employee can only access data within their partner's subtree — even if their role has broad permissions. ISP-level employees see all data. Partner-level employees see only their branch. The combination of RBAC + hierarchy ensures both functional and organizational access control.
Employee & Partner User Management
Create employee accounts under ISPs or partners. Assign one or more roles per employee. View employee access reports — who has access to what. Deactivate employee accounts instantly when they leave. Password policies, session management, and login audit logs add additional security layers.
Permission Enforcement
Permissions are enforced at both the route level (middleware) and the UI level (button/menu visibility). If a user doesn't have billing.invoices.view, they can't see invoice pages AND can't access invoice API endpoints. This dual enforcement prevents both UI-based and API-based unauthorized access.
Frequently Asked Questions
Can I create custom roles for my ISP?
Yes. Create unlimited custom roles with any combination of permissions. Roles are tenant-scoped — each ISP defines its own role structure independently.
How granular are permissions?
Permissions are per-module per-action (e.g., subscribers.view, billing.invoices.generate). Over 50 permission points cover the entire platform.
Does RBAC work with the partner hierarchy?
Yes. RBAC + hierarchy = dual access control. A partner employee with subscriber.view permission only sees subscribers within their partner branch, not other branches.
Are permissions enforced at the API level?
Yes. Both route middleware and UI visibility enforce permissions. Unauthorized API access is blocked even if someone bypasses the UI.
Related Solutions
Explore More ISP Solutions
Platform Features
Ready to Transform Your ISP Operations?
Join 200+ ISPs running on NOWA CRM. Schedule a free demo and see it in action.