CallSnare

Residential HVAC missed-call recovery

Keep working. We’ll handle the callback.

Sign inStart setup

Docs / Permissions

Permissions are explicit, tenant-scoped, and built to be audited later

CallSnare keeps business data tenant-scoped by organization. Staff roles, system automation, and external credentials all operate inside clear trust boundaries instead of loose implied access.

The key idea is simple: staff roles are fixed, external credentials are explicitly scoped, and every meaningful change is expected to be attributable later.

Permission model

Fixed roles for staff, explicit scopes for systems

01

Staff roles stay legible

Owner, admin, and agent are fixed roles so the operating model stays clear instead of endlessly customizable.

02

Tenant boundaries come first

Business-facing records stay scoped to the organization, whether the actor is staff, system automation, or an approved integration.

03

Credentials express scope directly

Protected access is granted through explicit scopes, not by inheriting broad hidden powers.

Roles define staff authority. Scopes define what a credential can do.

Tenant scope

Organization context is the hard boundary for business-facing records and actions.

Fixed staff roles

Owner, admin, and agent remain legible so day-to-day authority is easy to reason about.

Explicit credential scopes

Approved integrations get only the capabilities granted to that token, nothing broader.

Scope families

Scopes are grouped around durable business capabilities

Read, write, and management scope families keep external access understandable without forcing every integration to infer hidden privilege boundaries.

Read scopes

Current scope families cover bookings, availability, leads, conversations, business profile, results, and audit visibility.

Write scopes

Current scope families cover bookings, availability, leads, messages, business profile changes, and automation preferences.

Management scopes

Current scope families cover integrations, credentials, account settings, and other high-risk actions that should stay tightly controlled.

Actors and boundaries

Every actor can be described by allowed work and explicit limits

The system should be explainable without tribal knowledge. These actor cards show what each role or system actor can do and what boundaries still apply.

Owner

Business owner with full account authority.

Allowed work

  • Manage billing and guarantee settings.
  • Change business profile, phone routing, templates, and booking settings.
  • Create, rotate, and revoke integration credentials.
  • Review results, proof, and admin-only diagnostics.

Boundaries

  • Actions stay tenant-scoped to the current organization.
  • Protected external access still requires explicit credentials and scopes.

Admin

Operational lead or dispatcher with broad day-to-day control.

Allowed work

  • Work the inbox and bookings.
  • Change most settings and setup paths.
  • Help manage integrations and approved credentials.

Boundaries

  • Still tenant-scoped to the current organization.
  • High-risk actions remain controlled by role gates and explicit scope checks.

Agent

Team member handling conversations and booked work.

Allowed work

  • Work conversations, send messages, and update lead status.
  • Book jobs from the calendar workflow.
  • Review lead and booking history needed to do the job.

Boundaries

  • Cannot manage billing.
  • Cannot broadly manage account-wide integrations unless separately authorized.

CallSnare automation

System actor that sends follow-up, confirmation, reminder, and bookkeeping events under org rules.

Allowed work

  • Send follow-ups, confirmations, and reminders when the org allows it.
  • Write timeline and audit evidence tied to the automated action.
  • Stop sequences when replies, opt-outs, or terminal states make further sends unsafe.

Boundaries

  • Subject to billing entitlements, business-hour rules, and terminal-state guardrails.
  • Does not override tenant scope or bypass audit trails.

Trusted external integration or external agent

Approved outside system using an org-scoped Bearer credential.

Allowed work

  • Only the scopes explicitly granted to that credential.
  • Current protected surface is intentionally narrow and focused on booking operations.
  • Credential rotation and revocation are available from the web app.

Boundaries

  • No broad public write access exists.
  • Each write stays org-scoped, attributable, and permission-checked.
  • Sensitive scope families require deliberate owner or admin approval.

Continue reading

Once permissions are clear, most readers move to actions or security

Use the next docs to connect the role-and-scope model to the action vocabulary, protected access posture, and verification controls.

Actions

See which actions are live today, which stay internal, and which are only planned.

Security

Understand authentication, authorization, validation, rate limiting, and audit posture.

Agent access

Review what is publicly discoverable versus what still requires scoped credentials.

Webhooks

See the callback model that feeds the product and how those routes stay attributable and safe.