Skip to main content

Managing Access in Zendesk: An In-Depth Guide to Roles and Permissions

Updated

In a competitive landscape, customer service is no longer merely a support function, but a strategic asset. Controlling who can do what in the support system is therefore a fundamental prerequisite for a secure and efficient setup. The correct configuration of roles and permissions in Zendesk supports a secure, efficient and well-run working environment. It prevents unintended changes, protects critical business data and ensures that agents have precisely the tools they need to deliver high service quality - neither more nor less.
This guide serves as a single resource for access management in Zendesk, with a review of roles, key concepts and recommended practices.

The basics: What is the difference between roles and permissions?

Before reviewing the specific roles, it is important to distinguish between the two central elements of Zendesk access management:

  • Permissions: Specific, individual actions a user can perform. Examples: editing a ticket, creating a macro, viewing a report, managing users or changing an automation.
  • Roles: A role is a collection of permissions. Instead of assigning individual permissions manually to each user, a predefined role with the relevant combination of permissions is assigned.

A role and permissions can be compared to a keyring: the role is the keyring, and each permission is a key that grants access to a particular function in Zendesk. With the right keyring, access to the necessary functions is ensured without access to the rest.

An in-depth review of Zendesk's standard roles

Zendesk comes with standard roles that cover the most common functions in a support organisation. Each role has a clear purpose.

Administrator (Admin)

The administrator role has the highest access and can configure almost every aspect of the Zendesk instance.

  • Who is it for? Typically IT managers, system owners, heads of customer service or other trusted individuals with deep technical and strategic knowledge of the platform.
  • What can the role do?
    • Manage all users and organisations (create, edit, delete).
    • Configure all settings, including channels (email, chat, voice), business rules (triggers, automations, views) and integrations with third-party systems.
    • Access and manage all reports and dashboards, including editing shared dashboards.
    • Manage billing and subscription information.
    • Manage API tokens and security settings.
  • Best practice: The number of administrators should be kept to a minimum. Several accounts with full access increase the risk of errors, unintended changes and security breaches. Custom roles can be used to grant specific permissions instead of full administrator access.

Agent

The agent role is the primary role in the support team and is used for the daily handling of customer enquiries and SLAs.

  • Who is it for? Customer service staff, support technicians and others who form part of the primary ticket flow.
  • What can the role do?
    • View and edit tickets assigned to the agent's groups.
    • Create, update, assign and solve tickets.
    • Use macros, views and other tools to streamline their work.
    • Access the knowledge base (Help Center) to find answers.
    • Edit and create personal views, but not shared views.
  • What can the role not do? The role cannot manage other users, change core settings (e.g. triggers and automations), view sensitive data such as billing or manage integrations.

Custom Roles

On the Professional plan or higher, the standard "Agent" role can be extended with custom roles. This makes it possible to fine-tune access. Roles such as "Team Lead" or "Level 2 Support" can be created with permissions beyond the standard agent, e.g.:

  • The ability to edit macros or views for the entire group.
  • Access to comment on or edit tickets in other groups.
  • Permissions to access certain reports.

This provides granular control, so that employees get the tools they need without unnecessarily broad permissions.

Light Agent

A light agent is a specialist who is not part of the daily ticket flow, but who contributes knowledge as needed.

  • Who is it for? Legal experts, technical specialists, product managers, marketing staff or others who need to be able to view tickets and add comments without being formally assigned to them.
  • What can the role do?
    • View all tickets in the groups the role is a member of (as well as tickets where the role is CC'd).
    • Add internal comments (private notes) to these tickets.
    • Access and contribute to the knowledge base (if permissions are granted).
  • What can the role not do? The role cannot be assigned a ticket, change ticket status (e.g. set it to "Solved"), communicate directly with end users via public comments or edit macros. This reduces the risk of affecting the ticket flow or SLAs.

End User

End users are customers who interact with Zendesk via the Help Center, email or embedded forms.

  • Who is it for? External customers, partners or potential customers who request support.
  • What can the role do?
    • Submit requests (tickets) via various channels.
    • View and follow the status of their own tickets via the Help Center.
    • Search the public knowledge base (Help Center) to find answers (self-service).
  • Important: End users can only see their own tickets and have no access to the agent interface or other customers' data.

Advanced concepts: Beyond the standard roles

To work in a targeted way with access management, it is relevant to understand how roles interact with other Zendesk features.

Using groups to fine-tune ticket access

Roles define what a user can do, while groups largely define which tickets a user can see. By default, an agent can only see tickets that are either assigned to the agent personally or to a group the agent is a member of.

  • Example: A group can be created for "Billing enquiries" and another for "Technical Support". By placing agents in the relevant groups, you ensure that billing specialists are not overwhelmed by technical tickets and vice versa. This supports the organisation of the workflow and the protection of sensitive information.

Best practices for managing roles and permissions

To maintain a secure and efficient environment, the following principles are recommended.

1. Apply the Principle of Least Privilege

Grant only the permissions that are necessary to perform the tasks - neither more nor less.

  • Bad example: A new agent needs to be able to edit a field on tickets, and administrator access is granted to meet the need quickly.
  • Good example: You investigate whether a custom role can grant the permission to edit ticket fields, or whether such a role can be created. If that is not possible, you assess whether the workflow can be changed so that the permission is not necessary.
  • Why? It minimises the risk that an error by a single user will have major consequences, and it reduces the attack surface for security threats.

2. Review and clean up regularly

Organisations change, and the access structure should be adjusted on an ongoing basis. Employees change roles, leave the organisation, or new needs arise.

  • Schedule regular audits: A quarterly review of roles and permissions is recommended.
  • Quarterly audit checklist:
    • Remove inactive users: Deactivate or delete users who are no longer employed. This strengthens security and can reduce licence costs.
    • Evaluate roles: Assess whether new responsibilities require more permissions, or whether full access is no longer necessary.
    • Check group membership: Verify that agents are placed in the correct groups in relation to their current tasks.

3. Document the access strategy

Transparency supports good governance. Create an internal document (e.g. in Confluence, Notion or a shared Google Doc) that describes:

  • The definition of each role: Expectations for "Agent" vs. "Light Agent" as well as the purpose of custom roles.
  • The approval process: Who approves new administrators or changes to permissions, and whether a manager/IT should be involved.
  • A responsibility matrix: Who owns access management, and who to contact with questions.

Documentation supports onboarding and serves as a reference during troubleshooting.

4. Protect critical configurations

Certain parts of Zendesk are particularly critical, including business rules (triggers, automations), integrations and custom fields.

  • Restrict access: Make sure that only a small number of trusted administrators can change these.
  • Enable two-factor authentication (2FA): An effective protection of administrator accounts against unauthorised access. Make 2FA mandatory for all administrators.
  • Use Audit Logs: Audit logs give an overview of who has made changes, when and from which IP address. Use the logs actively for monitoring and tracing.
  • Test changes in a safe environment (Sandbox): For Enterprise customers, a sandbox is well suited to testing larger changes to triggers, automations and apps before rolling them out to production.

Troubleshooting and common challenges

Even with good planning, challenges can arise.

  • Problem: "An agent cannot see an important ticket, even though it is assigned to the group."
    • Solution: First check whether the agent is a member of the correct group. Then check the ticket's "organisation" setting. If the ticket is restricted to a specific organisation, the agent must also be a member of that organisation in order to see the ticket.
  • Problem: "An employee in marketing needs access to one specific report about customer satisfaction."
    • Solution: Instead of changing the role to agent, you can consider sharing a dashboard (if there is an agent licence), or the report can be exported and sent. If ongoing access is needed, a custom role with limited report permissions can be used.

Conclusion: Build a foundation for success

Well-structured access management in Zendesk is an ongoing process that requires maintenance. By understanding the roles, applying the principle of least privilege, using groups appropriately and documenting the strategy, a robust and secure foundation is established.

The foundation protects data and system integrity while giving agents the right conditions to deliver high-quality customer service. It reduces unnecessary complexity and supports a focus on the customer.

Specialists in building and optimising secure and scalable Zendesk setups can be brought in when there is a need to fine-tune roles and permissions with a view to a more efficient and secure customer service organisation.

Related articles

Powered by Zendesk