Roles and Permissions
Understand the role hierarchy, access levels, and permissions in ISPBills
ISPBills uses a multi-tier role hierarchy to control access across the platform. Each role is designed for a specific type of user — from the platform owner down to end customers — with granular permissions that determine what each person can see and do.
This page explains who each role is for, what they can access, and how permissions can be customised.
Role Hierarchy
ISPBills organises users into a clear hierarchy. Higher-level roles manage the roles beneath them.
Super Admin
└── Group Admin (ISP Owner)
├── Operator (Regional Manager)
│ ├── Sub-Operator (Assistant)
│ └── Manager (Staff — permission-gated)
├── NOC User (Network Operations — permission-gated)
└── Sales Manager (Sales Staff)
Lateral / Independent Roles:
• Card Distributor (External Recharge Agent)
• Customer (End-User)
Key points:
- Super Admin sits at the top and manages Group Admins and platform subscriptions.
- Group Admin is the ISP owner who manages all operators, packages, routers, and billing.
- Operator manages a region or area, including customers and sub-operators.
- Sub-Operator assists an Operator with a similar but more limited feature set.
- Manager is a staff member whose access is entirely controlled by individually assigned permissions.
- NOC User is a network operations technician with permission-gated access to infrastructure monitoring, device management, and customer troubleshooting — with no access to financial data. See NOC Role and NOC Panel.
- Sales Manager focuses on CRM activities and SMS outreach.
- Card Distributor and Customer log in through separate portals with their own feature sets.
Role Descriptions
| Role | Who it's for | What they can do | Key limitations |
|---|---|---|---|
| Super Admin | Platform owner | Manage Group Admins, activate/suspend subscriptions, view all payment and financial reports, manage data policies | Cannot manage individual customers or network infrastructure directly |
| Group Admin | ISP owner | Full control over operators, customers, routers, packages, billing, accounting, monitoring, OLT/ONU, WhatsApp, email, API clients, webhooks, settings, and reports | Bound by their own subscription status |
| Operator | Regional or area manager | Manage customers, sub-operators, managers, packages (with permission), bills, payments, SMS, accounting, recharge cards, due-date reminders, and expenses | Cannot manage routers, OLTs, IP pools, master packages, billing profiles, or VAT |
| Sub-Operator | Assistant to an Operator | Similar to Operator — customer management, billing, payments, SMS, recharge cards, accounting, expenses, and due-date reminders | Cannot create sub-operators or managers; cannot delete customers (requires explicit permission); no access to network infrastructure |
| Manager | Staff member | Customer operations, billing, payments, expenses, and package changes — all gated by individually assigned permissions | Every action requires an explicit permission grant; no access to accounting, SMS broadcast, recharge cards, or network features |
| NOC User | Network operations technician | Monitor network infrastructure, manage routers/OLTs/IP pools, search and troubleshoot customer connections, access Ready Terminal for SSH/Telnet — all gated by individually assigned permissions | No access to billing, payments, packages, customer creation/editing, or any financial data. See NOC Role |
| Sales Manager | Sales and outreach staff | View self-registered admins, add sales comments, send SMS, view SMS history, and view Group Admin list (read-only) | Very limited scope — no customer management, billing, or network access |
| Card Distributor | External recharge agent | Search customers, recharge accounts, pay customer bills, view own recharge and payment history | Separate login portal; balance-checked before every transaction; no access to admin features |
| Customer | End-user subscriber | View profile and bills, make payments (online gateways and recharge cards), view data usage and live traffic, purchase hotspot packages, file complaints, replace MAC address | Separate login portal; can only view and manage their own account |
Access Matrix
The table below shows which major feature areas are available to each role. A ✓ means the role has access (full or conditional), and ✗ means no access.
Administration and Operations
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| Dashboard | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Dashboard Widgets | ✗ | ✓ | ✓ | ✓ | Requires permission | ✗ (non-financial only) | ✗ |
| Business Dashboard | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| NOC Dashboard | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| Operator Management | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Sub-Operator Management | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| Manager Management | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| NOC User Management | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
Customer Management
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| Customer List and Search | ✗ | ✓ | ✓ | ✓ | Requires permission | Requires permission | ✗ |
| Create / Edit Customers | ✗ | ✓ | ✓ | ✓ | Requires permission | ✗ | ✗ |
| Activate / Suspend / Disable | ✗ | ✓ | ✓ | ✓ | Requires permission | ✗ | ✗ |
| Delete Customers | ✗ | ✓ | Requires permission | Requires permission | ✗ | ✗ | ✗ |
| Online / Offline Customers | ✗ | ✓ | ✓ | ✓ | Requires permission | ✓ (via dashboard) | ✗ |
| Import Customers | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Custom Fields and Zones | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Customer Disconnect | ✗ | ✓ | ✓ | ✓ | ✗ | Requires permission | ✗ |
| Send SMS to Customer | ✗ | ✓ | ✓ | ✓ | ✗ | Requires permission | ✓ |
Billing, Payments, and Packages
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| View / Print Bills | ✓ | ✓ | ✓ | ✓ | Requires permission | ✗ | ✗ |
| Generate / Edit / Delete Bills | ✗ | ✓ | Requires permission | Requires permission | Requires permission | ✗ | ✗ |
| Receive Cash Payments | ✗ | ✓ | ✓ | ✓ | Requires permission | ✗ | ✗ |
| Edit / Delete Payments | ✗ | ✓ | Requires permission | Requires permission | Requires permission | ✗ | ✗ |
| Billing Profiles | ✗ | ✓ (full) | ✓ (view) | ✓ (view) | ✗ | ✗ | ✗ |
| Package Management | ✗ | ✓ (full) | ✓ (limited) | ✓ (view) | ✗ | ✗ | ✗ |
| Master Packages | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Change Customer Package | ✗ | ✓ | ✓ | ✓ | Requires permission | ✗ | ✗ |
| Recharge Cards | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Card Distributors | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
Network and Infrastructure
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| Router Management | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| OLT / ONU Management | ✓ (view) | ✓ | ✓ (view) | ✓ (view) | ✗ | Requires permission | ✗ |
| IP Pools (IPv4 / IPv6) | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| PPPoE Profiles | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| MikroTik Monitoring | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| Ubiquiti / Cambium Devices | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| Zabbix Integration | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Network Topology | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| Ping Test | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Ready Terminal (SSH/Telnet) | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ |
| Managed Switches | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
Accounting and Finance
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| Accounts Receivable / Payable | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Daily / Monthly Reports | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Journal and Ledger | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Expense Management | ✗ | ✓ | ✓ | ✓ | Requires permission | ✗ | ✗ |
| Income vs Expense Report | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| VAT Management | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
Communication and Notifications
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| Send SMS | ✗ | ✓ | ✓ | ✓ | ✗ | Requires permission | ✓ |
| SMS Broadcast | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| SMS History | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ |
| Event SMS Configuration | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| WhatsApp Messaging | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Email Templates | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Due Date Notifiers | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Expiration Notifiers | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
Monitoring, Logs, and Security
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| Activity Logs | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
| Authentication Logs | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
| Router / PPP / Hotspot Logs | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ (router & PPP auth) | ✗ |
| Suspension Logs | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Operator Action Logs | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| NetFlow Traffic Analysis | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Two-Factor Authentication | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Device Identification | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Settings, API, and Integrations
| Feature Area | Super Admin | Group Admin | Operator | Sub-Operator | Manager | NOC User | Sales Manager |
|---|---|---|---|---|---|---|---|
| ISP Profile / Company Settings | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Payment Gateway Settings | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Backup Settings | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| API Clients | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Webhook Endpoints | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Complaint Departments | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Status Checks | ✗ | ✓ | ✗ | ✗ | ✗ | Requires permission | ✗ |
| VPN Accounts | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
Manager Permissions
The Manager role is unique in ISPBills because it has no default access to operational features. Every capability must be explicitly granted by the Operator or Group Admin who creates the Manager account.
This makes the Manager role ideal for staff members who need access to specific tasks without the full scope of an Operator.
Available Manager Permissions
| Permission | What it grants |
|---|---|
| Dashboard | View dashboard widgets and charts |
| View Customer Details | Access the customer detail page |
| Create Customer | Add new customers |
| Edit Customer | Modify existing customer records |
| Activate Customer | Reactivate suspended or disabled customers |
| Suspend Customer | Suspend customer service |
| Disable Customer | Disable customer accounts |
| Change Customer Package | Modify a customer's service package |
| Receive Payment | Accept cash payments and process recharges |
| View Customer Payments | See payment records |
| View Online Customers | See currently connected customers |
| Print Invoice | View and print customer bills |
| Edit Bills | Modify existing invoices |
| Delete Bills | Remove invoices |
| Discount on Bills | Apply discounts to invoices |
| Edit Customer Payment | Modify payment records |
| Delete Customer Payment | Remove payment records |
| Expense Management | Create and view expenses and expense reports |
Managers can also access activity logs and authentication logs, send payment links, and edit customer billing profiles without requiring a specific permission key.
How to Assign Manager Permissions
- Navigate to Resellers and Managers → Managers.
- Create a new Manager or edit an existing one.
- In the permissions section, tick the capabilities you want to grant.
- Save the Manager profile.
The Manager will only see menu items and features that match their assigned permissions.
NOC User Permissions
The NOC User (Network Operations Center) role is designed for network technicians and engineers who need to monitor infrastructure and troubleshoot network issues without any access to financial data. Like the Manager role, every capability must be explicitly granted.
NOC users are created and managed by the Group Admin from the NOC Panel management area.
Available NOC Permissions
| Permission | What it grants |
|---|---|
| NOC Dashboard | Access to the real-time NOC Command Center dashboard |
| View Routers | View the router list and router details |
| Add Routers | Create new routers |
| Edit Routers | Modify existing routers |
| Delete Routers | Remove routers |
| View OLTs | View OLT list, OLT details, and ONU list |
| Add OLTs | Create new OLTs |
| Edit OLTs | Modify existing OLTs |
| Delete OLTs | Remove OLTs |
| View IP Pools | View IPv4 and IPv6 pool lists |
| Add IP Pools | Create new IP pools |
| Edit IP Pools | Modify existing IP pools |
| Delete IP Pools | Remove IP pools |
| Search Customers | Search customers by username, mobile, or ID |
| Disconnect Customer | Disconnect a customer's PPPoE session |
| Send SMS | Send SMS messages to individual customers |
| View Monitoring | Access monitoring tools (Ubiquiti, MikroTik, Cambium, Network Topology, Status Checks, Managed Switches) |
| Manage Router Devices | Access MikroTik device management (DHCP leases, ARP table, firewall rules) |
NOC users have zero access to billing, payments, packages, customer creation/editing, accounting, or any financial data. All financial queries are skipped at the controller level for this role.
How to Create and Manage NOC Users
- Log in as a Group Admin.
- Navigate to Operators & Managers → NOC Users in the sidebar.
- Click New NOC User and fill in the name, mobile, email, password, and desired permissions.
- Click Submit.
For full details, see NOC Role and NOC Panel.
Card Distributor
Card Distributors are external agents who sell recharge cards and collect payments on behalf of your ISP. They access a separate, simplified portal.
What Card Distributors Can Do
| Capability | Description |
|---|---|
| Search Customers | Look up customers by ID, name, or mobile number |
| Recharge Customer Accounts | Apply balance to a customer's account |
| Pay Customer Bills | Settle outstanding bills on behalf of customers |
| View Recharge History | See their own past recharge transactions |
| View Payment History | See their own past payment transactions |
| Change Password | Update their login credentials |
How Card Distributor Access Works
- Card Distributors log in through a separate portal (not the main admin panel).
- Every recharge and bill payment is balance-checked — the distributor must have sufficient funds to complete the transaction.
- The distributor's balance is managed by the Operator or Group Admin through distributor payment records.
- All transactions are logged and visible in the Distributor Payments section.
Customer Portal
Customers access ISPBills through a dedicated self-service portal. The portal lets subscribers manage their own accounts without needing to contact the ISP directly.
Customer Portal Capabilities
| Capability | Description |
|---|---|
| Dashboard | Account summary with service status and balance overview |
| View Profile | See account details including connection type and package |
| Edit Profile | Update personal information |
| View Bills | See all current and past invoices |
| Pay Bills Online | Pay using bKash, Nagad, SSLCommerz, and other supported gateways |
| Recharge with Card | Apply a recharge card PIN to add balance |
| View Payments | See complete payment history |
| View Packages | Browse available service packages |
| Purchase Package | Buy or upgrade a hotspot package directly |
| Data Usage History | Review session-by-session data consumption |
| Usage Graph | Visual charts showing bandwidth usage over time |
| Live Traffic | Real-time view of current bandwidth usage |
| Card Stores | Find recharge card outlets |
| Replace MAC Address | Self-service MAC address update |
| File Complaint | Submit a support ticket (requires verified mobile number) |
| View Complaints | Track the status of submitted complaints |
Customer Login
Customers log in using their Customer ID and password at the customer portal URL. If a customer forgets their Customer ID, they can recover it using their registered mobile number or email address.
The customer portal is a separate interface from the admin panel. Customers cannot access any administrative features.
Subscription and Group Admin Management
The Super Admin manages ISP subscriptions at the platform level. This includes:
- Creating and managing Group Admin accounts — each Group Admin represents an ISP.
- Activating and suspending subscriptions — controlling whether an ISP can use the platform.
- Marking subscription bills as paid — managing the billing relationship with ISPs.
- Viewing subscription payment reports — tracking revenue from ISP subscriptions.
- Toggling WhatsApp access — enabling or disabling WhatsApp integration per ISP.
Group Admins cannot access Super Admin features. The subscription system runs independently of individual ISP operations.
Best Practices
- Follow the principle of least privilege. Grant each user only the permissions they need.
- Use Managers for staff. Instead of creating additional Operators, use the Manager role with specific permissions to limit what staff members can access.
- Review permissions regularly. As your team changes, audit Manager permissions to ensure they still match each person's responsibilities.
- Use Sub-Operators for trusted assistants. Sub-Operators have broader default access than Managers but cannot manage network infrastructure.
- Keep Card Distributor balances current. Distributors cannot process transactions when their balance is insufficient.