Team Roles & Permissions
Set up your team with the right access levels. From read-only stakeholders to full admin control.
Beginner6 min readUpdated 2024-12-28
Your intern doesn't need access to billing. Your client doesn't need to edit campaigns. Your marketing manager doesn't need to delete the organization.
Role-based access control ensures everyone has exactly what they need - no more, no less.
Why Roles Matter
The Principle of Least Privilege
Give people the minimum access they need to do their job. This:
- Reduces risk - Fewer people can cause damage
- Improves security - Smaller attack surface
- Simplifies auditing - Clearer who did what
- Builds trust - Clients see you take security seriously
Real Scenarios
| Without Roles | With Roles |
|---|---|
| Contractor accidentally deletes campaign | Contractor is Viewer - can't modify |
| Ex-employee still has access | Access revoked on last day |
| Client sees other clients' data | Each client in separate organization |
| Intern changes billing | Billing limited to Owner |
Available Roles
We provide 4 built-in roles, designed for common team structures:
Role Hierarchy
****
output
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā ROLE HIERARCHY ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤ ā ā ā OWNER ā ā āāā Full access to everything ā ā āāā Billing, delete organization, transfer ownership ā ā ā ā ADMIN ā ā āāā Full access except billing ā ā āāā Manage team, campaigns, settings ā ā ā ā MEMBER ā ā āāā Day-to-day operations ā ā āāā Create/edit campaigns, view analytics ā ā ā ā VIEWER ā ā āāā Read-only access ā ā āāā View everything, change nothing ā ā ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ****Role Descriptions
| Role | Best For | Key Limitations |
|---|---|---|
| Owner | Business owner, founder | Can delete organization |
| Admin | Marketing director, agency lead | Cannot access billing |
| Member | Marketing manager, campaign runner | Cannot change settings |
| Viewer | Client, stakeholder, analyst | Cannot modify anything |
Permission Matrix
Here's exactly what each role can do:
Campaigns & Ads
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View campaigns | ā | ā | ā | ā |
| Create campaigns | ā | ā | ā | ā |
| Edit campaigns | ā | ā | ā | ā |
| Delete campaigns | ā | ā | ā | ā |
| Approve AI actions | ā | ā | ā | ā |
Analytics & AI
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View analytics | ā | ā | ā | ā |
| Export data | ā | ā | ā | ā |
| View AI insights | ā | ā | ā | ā |
| Configure autopilot | ā | ā | ā | ā |
Team & Settings
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View team | ā | ā | ā | ā |
| Invite members | ā | ā | ā | ā |
| Change roles | ā | ā* | ā | ā |
| Organization settings | ā | ā | ā | ā |
| Billing & subscription | ā | ā | ā | ā |
| API keys | ā | ā | ā | ā |
| Delete organization | ā | ā | ā | ā |
*Admins can only change Members and Viewers, not other Admins or Owner
Managing Your Team
Inviting Members
- Go to Settings ā Team
- Click Invite Member
- Enter their email address
- Select their role
- Click Send Invite
They'll receive an email with a link to join your organization.
Changing Roles
- Go to Settings ā Team
- Find the team member
- Click their current role
- Select the new role
- Changes apply immediately
Removing Members
- Go to Settings ā Team
- Find the team member
- Click Remove
- Confirm removal
Access is revoked instantly. They cannot access any data.
Common Team Setups
Small Business (1-3 people)
| Person | Role | Why |
|---|---|---|
| Founder | Owner | Full control |
| Marketing lead | Admin | Day-to-day management |
| Freelancer | Member or Viewer | Limited scope |
Agency with Clients
| Person | Role | Why |
|---|---|---|
| Agency owner | Owner | Billing and control |
| Account managers | Admin | Manage client campaigns |
| Strategists | Member | Create campaigns |
| Clients | Viewer | See their results |
Pro tip: For agencies, create a separate organization per client. This ensures data isolation.
Enterprise Team
| Person | Role | Why |
|---|---|---|
| CMO | Owner | Ultimate authority |
| Directors | Admin | Team and budget control |
| Managers | Member | Campaign execution |
| Analysts | Viewer | Reporting access |
| Finance | Viewer + billing exception | Budget visibility |
Audit Log
Every action is logged. Go to Settings ā Audit Log to see:
| Timestamp | User | Action | Details |
|---|---|---|---|
| 2024-12-28 10:30 | [email protected] | Invited member | [email protected] as Member |
| 2024-12-28 09:15 | [email protected] | Created campaign | "Holiday Sale" |
| 2024-12-27 16:45 | [email protected] | Changed role | [email protected]: Viewer ā Member |
This helps with:
- Compliance - Show who did what, when
- Troubleshooting - Trace changes that caused issues
- Security - Detect unauthorized access
Recap
Here's what you learned:
- 4 roles cover most team structures
- Principle of least privilege - Give minimum needed access
- Instant revocation - Remove access immediately when needed
- Audit log - Track everything for compliance
Get roles right from the start. It's much harder to restrict access later than to grant more when needed.
Next step: Secure your API keys with proper permissions.
Key Takeaways
- 14 built-in roles: Owner, Admin, Member, Viewer
- 2Principle of least privilege by default
- 3Audit log tracks all access and changes
- 4Instant access revocation when needed
Frequently Asked Questions
Can I create custom roles?
Not yet. The 4 built-in roles cover most needs. Custom roles are on our roadmap for Q2 2025.
What happens when I remove someone?
They lose access immediately. Their past actions remain in the audit log. Campaigns they created are preserved.
Can I transfer ownership?
Yes. Go to Settings ā Organization ā Transfer Ownership. The new owner must already be an Admin. You'll become an Admin after transfer.
Was this article helpful?