Permissions Deep Dive

whoot.'s role-based access control system enforces 50+ granular permissions across 11 categories. This guide covers how permissions are evaluated, enforced in real time, and audited for compliance.

How Permissions Work

Every action in whoot. — from joining a channel to modifying billing settings — is gated by a permission check. The flow works as follows:

1. User authenticates — The user signs in and their session is established
2. Permissions are resolved — The system looks up the user's role in the current tenant and resolves the full set of permissions associated with that role
3. Action is requested — The user attempts to perform an action (e.g. create a channel, invite a member)
4. Permission is checked — The API validates that the user's resolved permissions include the permission required for the requested action
5. Action is allowed or denied — If the permission exists, the action proceeds. If not, a 403 Forbidden response is returned

Permission Categories

Permissions are organised into 11 categories, each covering a distinct area of the platform:

1. Users

Control who can manage the membership of your workspace:

• Invite new members to the workspace
• View member profiles and contact details
• Change a member's assigned role
• Remove members from the workspace
• Trigger password resets for other users
• Disable MFA for other users

2. Channels

Control who can create, modify, and delete voice channels:

• Create new channels
• Edit channel names, descriptions, and settings
• Delete channels
• Configure channel-level add-ons (recording, transcription, dial out)
• Set transmission permissions (open vs. restricted)

3. Voice

Control who can participate in voice channels:

• Join voice channels
• Transmit audio (push-to-talk / latch)
• Use latch mode for hands-free conversation

4. Recording

Control who can enable and access channel recordings:

• Enable or disable recording on a channel
• Access and play back recordings
• Configure recording retention policies

5. Transcription

Control who can enable and view AI transcriptions:

• Enable or disable transcription on a channel
• View live and historical transcripts
• Search across transcripts

6. Dial Out

Control who can initiate PSTN calls into channels:

• Initiate dial-out calls to phone numbers
• Configure dial-out settings on channels

7. Billing

Control access to financial information and payment management:

• View invoices and billing history
• Manage subscriptions and plan changes
• Add and remove payment methods
• View upcoming invoice previews

8. Security

Control who can configure workspace security settings:

• Configure MFA policies (disabled / optional / enforced)
• Set up and manage SAML SSO providers
• Verify domains for SSO
• View and export audit logs

9. Roles

Control who can create and modify the role structure:

• Create new custom roles
• Edit permissions on existing roles
• Delete custom roles (with automatic user reassignment)

10. Settings

Control who can modify workspace-level settings:

• Change workspace name and slug
• Manage display and branding settings
• Configure general workspace preferences

11. Audit

Control who can access compliance and audit features:

• View the audit log
• Run access reviews
• Export audit reports (CSV/JSON)
• Certify access review cycles

Real-Time Permission Enforcement

Permissions in whoot. are not just checked at page load — they are enforced continuously:

• Server-side on every API call — Every API endpoint verifies the user's permissions before processing the request. There are no client-only permission gates
• Client-side for UI gating — The dashboard fetches the user's resolved permissions and uses them to show or hide UI elements. This prevents confusion but is not the security boundary — the server always re-validates
• Periodic re-validation — The client re-checks permissions every 30 seconds. If a user's role is changed by an admin, the updated permissions take effect within seconds without requiring a page refresh
• Immediate effect on role change — When an admin assigns a new role to a user, the change takes effect immediately. The next API request from that user will use the new permissions

Role Change Auditing

Every role-related action is recorded in the immutable audit log with full contextual detail:

This audit trail provides the evidence needed for SOC 2, ISO 27001, and other compliance frameworks that require demonstrable access control management.

Periodic Access Reviews

whoot. includes a built-in access review workflow for compliance:

1. Navigate to Settings → Security → Access Reviews
2. Start a new review cycle — this snapshots the current state of all users, roles, and permissions
3. Review each user: verify their role, permissions, and channel assignments are appropriate
4. Approve, modify, or revoke access as needed
5. Certify the review as complete — this creates an immutable audit record that the review was performed

Access reviews are a key requirement for SOC 2 Type II (CC6.1, CC6.2, CC6.3), ISO 27001 (A.9.2.5), and HIPAA access management controls.

Security Best Practices

• Principle of least privilege — Assign the minimum permissions needed for each role. Start restrictive and add permissions as specific needs arise
• Separate admin and user roles — Don't grant admin access to users who only need to join channels and talk. Create custom roles for specific responsibilities
• Review permissions quarterly — Use the access review feature to audit who has what permissions every quarter. This is both a security best practice and a compliance requirement
• Monitor the audit log — Regularly review audit entries for unexpected role changes, permission escalations, or unusual access patterns
• Use descriptive role names — Name roles clearly (e.g. "Support Lead", "Project Manager", "External Observer") so their purpose is obvious during access reviews
• Combine with MFA — For roles with sensitive permissions (billing, security, audit), enforce MFA on the workspace to add a second authentication factor

Next Steps

• User Roles & Permissions — Creating and assigning roles
• Security & Compliance — Audit logging and compliance frameworks
• Authentication Security — MFA and session management
• Team Setup Guide — Onboarding workflow with roles