This article will cover the following:
Overview
Role-based access control (RBAC) in CAKE lets you give each team member exactly the access they need — no more, no less. Every admin user in CAKE is assigned a role that defines their permissions across the platform. Affiliates and advertisers have fixed portal views and are not assigned admin roles.
Built-In Admin Roles
| Role | Typical User | Key Access |
|---|---|---|
| Super Admin | Platform owner or lead administrator | Full access to everything: all settings, all users, all billing, all data. |
| Admin | Senior network manager | Manage offers, affiliates, advertisers, and all reports. Limited access to billing and system settings. |
| Account Manager | Day-to-day campaign manager | Create and edit offers, manage affiliates assigned to them, view reports relevant to their accounts. |
| Reporting Only | Analyst or client-facing stakeholder | View reports only. Cannot create, edit, or delete any records. |
Note:
Built-in roles are ready to use without any additional configuration and cover the vast majority of team structures. Only create custom roles when you need specific permission combinations that don't exist in a built-in role.
Built-in roles are ready to use without any additional configuration and cover the vast majority of team structures. Only create custom roles when you need specific permission combinations that don't exist in a built-in role.
Creating Custom Roles
1
Go to Admin > Roles and click Add Role.
2
Give the role a descriptive name that communicates its scope — e.g. "Finance Viewer" or "Offer Creator Only".
3
Enable the specific permissions this role should have. Each permission maps to an action (view, create, edit, delete) on a specific resource (offers, affiliates, reports, etc.).
4
Click Save. The role is now available to assign when creating or editing users.
Tip:
Start with the closest built-in role as a mental template before configuring custom permissions. This reduces the chance of accidentally leaving out an important permission.
Start with the closest built-in role as a mental template before configuring custom permissions. This reduces the chance of accidentally leaving out an important permission.
Permission Categories
| Category | What It Controls |
|---|---|
| Offers | View, create, edit, delete offers and their associated settings (caps, creatives, targeting) |
| Affiliates | View, create, edit, delete affiliate accounts and manage affiliate-offer relationships |
| Advertisers | View, create, edit, delete advertiser profiles and billing settings |
| Campaigns | View, create, edit, delete campaigns and access tracking links |
| Reports | View performance reports; some sub-permissions control access to financial data like margin |
| Billing | View invoices, approve payments, manage billing cycles |
| System Settings | Access API keys, domain settings, email configuration, and user management |
Security Best Practices
| Best Practice | Implementation |
|---|---|
| Least-privilege access | Assign the least-permissive role that still lets the user do their job. Avoid giving everyone Admin. |
| Offboard promptly | Remove or deactivate user accounts on the employee's or contractor's last day. |
| Rotate API keys | When someone with API access leaves, regenerate the key and update all integrations. |
| Quarterly access audit | Review all active user accounts quarterly. Confirm each person still needs the access they have. |
| Strong password policy | Encourage a password manager. Avoid sharing passwords over email or Slack. |
If you have any questions, please reach out to your dedicated CAKE Client Success Manager/Account Manager or contact the CAKE Support Team at support@getCAKE.com.