Roles & Access
TalentDesk uses role-based access control with four scoped roles. This page explains what each role can see and do, and how client scoping works for Account Managers.
The four roles
| Role | Scope & capabilities |
|---|---|
| Master Admin | Full access to everything — all clients, all talent, all deployments, all analytics, and all settings. Manages users, roles, the skills library, and system configuration. Can view the full audit log and export it as CSV. |
| Account Manager | Sees and manages only the clients assigned to them. Can create and manage positions, deployments, placement gates, weekly health signals, and monthly retrospectives for their clients. Can view the talent roster to source engineers, but cannot manage users or system settings. |
| Recruiter | Focused on sourcing and hiring. Can view open positions across clients, manage the talent roster, and move positions through the hiring pipeline. Can contribute to placement gate checkpoints (e.g. pre-screen, technical bar). Cannot log client health signals or manage client relationships. |
| Viewer | Read-only access to dashboards, clients, talent, and analytics they are permitted to see. Cannot create, edit, or delete any record. Useful for leadership or stakeholders who need visibility without operational access. |
Client scoping for Account Managers
The Account Manager role is scoped by client assignment. Each client record has an assigned Account Manager. An Account Manager only sees the clients assigned to them across the entire application:
- The global dashboard shows metrics computed only over their assigned clients
- The Clients list shows only their clients
- The Action Center shows hiring deadlines, incomplete gates, and pending health updates only for their clients
- Deployments, health signals, and retrospectives are filtered to their clients
The talent roster is shared — Account Managers can view all engineers when sourcing for a position — but client relationship data is strictly scoped.
Reassigning a client. When a Master Admin reassigns a client to a different Account Manager, the new manager immediately gains visibility and the previous manager loses it. Historical audit log entries retain the identity of whoever performed each past action.
Managing users and roles
Only Master Admins can manage users. Under Settings → Users, a Master Admin can:
- Invite a new team member by email
- Assign one of the four roles
- Assign clients to an Account Manager
- Deactivate a user (which revokes access without deleting their audit history)
Authentication
TalentDesk uses cookie-session authentication with bcrypt password hashing. Sessions are stored server-side and issued as an httpOnly cookie. Users manage their own password under Profile → Change Password. There is no self-service signup — accounts are created by a Master Admin.
Audit log
Every create, update, and delete action across clients, positions, deployments, placement gates, health signals, pulse reviews, and user management is recorded in the audit log with a timestamp, the acting user, the affected entity, and the action taken. The audit log is viewable per entity (on each record's detail page) and globally by Master Admins, who can export it as CSV for compliance or review purposes.