A practical guide to Intercom roles and permissions

If you’re managing a support team, you know your job is about more than just clearing the ticket queue. It's about giving your agents the right tools and access so they can do their best work, preferably without tripping over digital red tape or accidentally deleting something important.

This is exactly where Intercom roles and permissions come into play. They’re the foundation for security and efficiency in any support setup. When you get them right, your team can move faster, customer data stays secure, and you can bring on new hires without that little voice in your head worrying about what they might break.

In this guide, we'll walk through how Intercom permissions work, share some solid best practices for setting them up, and look at how you can push past their natural limits with a bit of smart automation.

What are Intercom roles and permissions?

Let's start with the basics. It’s pretty straightforward, but the difference between the two is key.

• Roles: Think of these as templates for permissions. Instead of manually clicking 27 different boxes for every new agent, you can create a 'Support Agent' role and assign it in one go. It’s all about saving time and keeping things consistent.

• Permissions: These are the specific things a person is allowed to do inside your Intercom workspace. This could be anything from 'Can export data' and 'Can manage Help Center articles' to 'Can delete replies from a conversation'.

Getting this setup right is a pretty big deal. It’s what stops a new agent from accidentally changing your billing plan or a colleague from the marketing team from stumbling into sensitive support conversations. They're the guardrails that keep your workspace tidy and secure.

The building blocks of Intercom roles and permissions

Intercom gives you a flexible system for managing who can do what, which is great because no two teams are exactly alike. You can start with the default roles they provide and then get as specific as you need with your own custom setups.

Default vs. custom roles

Right out of the box, Intercom gives you a few standard roles, including a full-access admin who can do, well, everything. That's fine when you're just starting out, but the real power comes from creating custom roles that perfectly match your team's structure. As Intercom's own documentation points out, tailoring roles to specific jobs is the best way to keep your workspace secure and running smoothly.

Here’s a simple way to decide which to use:

Role Type	Best For	Key Characteristic
Default Roles	Small teams or your initial setup.	Pre-configured with standard access levels for quick onboarding.
Custom Roles	Growing or specialized teams.	Gives you fine-tuned control to grant only the necessary permissions.

Key permission categories

Intercom has a ton of individual permissions, and staring at the full list can be a bit much. You can find a complete breakdown in Intercom's help docs, but it’s easier to think about them in a few logical groups:

• Conversation & Inbox Access: This is the big one. It controls who can see and reply to conversations. Can an agent only see tickets assigned to them, their team's tickets, or every ticket in the entire workspace?

• Data & Security: This group handles access to user profiles, the ability to export customer data, and permissions for managing things like tags. This is obviously vital for protecting customer privacy.

• Settings & Configuration: These permissions are usually just for admins and managers. They include the ability to change workspace settings, manage billing, and add or remove teammates.

• Content & Automation: This covers everything related to your Help Center, Proactive Support messages, and automation rules. You might give a content writer access to edit articles but not the ability to change your automated workflows.

Best practices for setting up Intercom roles and permissions

Alright, let's switch gears from the "what" to the "how." A well-planned role structure isn't just a bit of admin housekeeping; it can genuinely make your team's day-to-day work a lot easier.

Start with the principle of least privilege

This is a classic security concept that should be your north star: give teammates only the access they absolutely need to do their jobs, and nothing more.

It can be tempting to give everyone broad access just to "make things easier," but that strategy often backfires. Limiting permissions reduces the risk of accidental data deletion, unauthorized exports, or messy configuration mistakes that take hours to untangle.

Create roles based on team function

Don't just create roles for the sake of creating them. Base them on what people actually do. Here are a few real-world examples you can adapt:

• Support Agent (Limited): This is perfect for new hires or Tier 1 agents. They can handle conversations assigned to them and use macros, but they can't edit shared resources, view sensitive reports, or export customer lists. They have exactly what they need to answer tickets, and that’s it.

• Support Agent (Standard): For your experienced, trusted agents. Give them everything the limited role has, plus the ability to access all conversations, manage tags, and view reports to track their performance. This lets them solve more complex problems and see their own impact.

• Support Manager: This role needs a much broader view of things. Managers should be able to access all reports, manage teammates and their permissions, tweak workspace settings, and oversee automation. They're the architects of your support system.

• Marketing/Sales: Often, other departments need to dip a toe into Intercom. You can create a highly restricted role that lets them run outbound campaigns or handle pre-sales chats without giving them access to private, post-sale support tickets.

Use SCIM for automated provisioning

For larger companies, manually managing roles for every new hire, promotion, or departure is a real headache. It's slow and just waiting for human error.

This is where SCIM (System for Cross-domain Identity Management) comes in. SCIM lets you connect Intercom to your company's identity provider, like Okta or Azure AD, and map roles automatically. For example, when someone is added to the "Support Team" group in Okta, they're automatically given the "Support Agent (Standard)" role in your Intercom workspace.

As detailed in Intercom's guide on SCIM, this keeps your permissions perfectly in sync with your company's main user directory. It cuts down on admin work and tightens up security.

The limits of manual permissions and where AI can help

So, you've done everything right. Your roles are clearly defined, and your permissions are locked down. Your workspace is a fortress of organizational perfection. But your team is still struggling to keep up. Why?

Because Intercom roles control access, but they don't improve the quality or speed of the work itself. An agent can have permission to view your knowledge base, but that doesn't help them find the right answer in 30 seconds while a customer is waiting.

Even the best permission setup runs into a few hard limits:

1. Knowledge Silos: Permissions can't magically bridge knowledge gaps. The perfect answer to a customer's question might be buried in a past ticket, a Google Doc, or a Confluence page. An agent's Intercom role only applies to Intercom, forcing them to waste time switching between tabs and searching multiple systems for a single piece of information.

2. Onboarding Bottlenecks: Getting a new agent up to speed is a classic catch-22. You want them to learn fast, but you don't want to give them broad access to historical data. But if you lock down their permissions too tightly, you make it harder for them to learn from past conversations and see how your best agents operate.

3. Manual Triage and Escalation: Roles can define who gets an escalated ticket, but a person still has to read the new ticket, figure out what it's about, tag it correctly, and send it to the right team. This process eats up a lot of time and is a major source of mistakes.

This is where you start to hit the ceiling of what manual settings can do. The next step is to think about not just who can do what, but how to help them do it better.

Give your permission setup a boost with eesel AI

This is the point where many teams start looking for a tool like eesel AI. It isn't a replacement for your helpdesk or your permission structure. Instead, it’s an intelligent layer that plugs into your existing Intercom setup to make your team much more effective.

eesel AI is designed to help with the exact limitations we just talked about:

• Break Down Knowledge Silos: eesel AI doesn't just live in Intercom. It connects to all your company knowledge, including information in Confluence, Google Docs, and most importantly, the wisdom hidden away in your past tickets. Its AI Copilot sits right inside the Intercom inbox and suggests accurate, context-aware answers instantly. Agents never have to leave the conversation to hunt for information again.

The eesel AI Copilot suggesting answers inside the Intercom inbox, helping agents work faster regardless of their Intercom roles and permissions.

• Speed Up Onboarding: You can forget that new hire paradox. With eesel AI, you can keep a new agent's permissions limited and safe. The AI drafts replies for them by learning from thousands of your best historical conversations. They get to learn from your top performers from day one, all while staying within their secure, limited role.

• Automate Workflows: eesel's AI Agent can handle that repetitive frontline triage for you. It reads incoming tickets, understands what the customer needs, and can automatically tag the ticket, route it, or even resolve it on the spot if the answer exists in your knowledge base. This frees up your human agents to focus on the complex conversations that actually require their expertise. Best of all, because eesel AI has a powerful simulation mode, you can test its performance on thousands of your past tickets before ever letting it talk to a real customer, making the rollout completely risk-free.

Tying your Intercom roles and permissions strategy together

Getting your Intercom roles and permissions strategy right is absolutely essential. It’s the bedrock of a secure, organized, and scalable support team. By following best practices like the principle of least privilege, creating roles by function, and using SCIM to automate things as you grow, you'll build a solid foundation.

But that foundation has a ceiling. To really unlock what your team is capable of, you need to layer intelligence on top of that structure. While manual permissions define what your agents can do, AI helps them do it better, faster, and more consistently.

Tools like eesel AI can turn a well-organized workspace into a highly efficient support engine, helping you scale your operations without having to scale your headcount at the same rate.