Roles & Permissions

Every team member has exactly one role: owner, admin, member, or viewer. The role is the single source of truth for what that person can do β€” it is read from the membership record only and is independent of any platform-level admin status.

The four roles

  • Owner β€” Full control. Manages billing, the team, ownership transfer, and company deletion, in addition to all resources. There is exactly one owner per team.
  • Admin β€” Manages members and all shared resources, but cannot touch billing, transfer ownership, or delete the company.
  • Member β€” Manages all shared resources (monitors, servers, status pages, alerts, observability, incidents). Cannot manage members or billing.
  • Viewer β€” Read-only. Can view all the team's resources but cannot change anything.

Capability matrix

Reads require team membership only β€” any role, including viewer, can view the team's resources. Mutations require the matching capability.

Capability Owner Admin Member Viewer
View resources (read) βœ… βœ… βœ… βœ…
Manage monitors βœ… βœ… βœ… ❌
Manage servers βœ… βœ… βœ… ❌
Manage status pages βœ… βœ… βœ… ❌
Manage alerts βœ… βœ… βœ… ❌
Manage observability βœ… βœ… βœ… ❌
Manage incidents βœ… βœ… βœ… ❌
Manage team (invite / change role / remove member) βœ… βœ… ❌ ❌
Manage billing βœ… ❌ ❌ ❌
Transfer ownership βœ… ❌ ❌ ❌
Delete company βœ… ❌ ❌ ❌

The six resource capabilities β€” manage_monitors, manage_servers, manage_status_pages, manage_alerts, manage_observability, manage_incidents β€” are granted as a group to every non-viewer role. Viewer gets none of them.

What each capability allows

  • manage_team β€” Send invitations, change another member's role, and remove members. Held by owner and admin.
  • manage_billing β€” View and change the subscription, payment method, and top-ups. Owner only.
  • transfer_ownership β€” Hand ownership to another existing member. Owner only.
  • delete_company β€” Delete the team and its resources. Owner only.

Owner protection invariants

The owner is special and is protected by rules enforced at the data layer, not just the UI:

  • The owner cannot be demoted or removed. Role changes and member removal refuse to act on the owner. Ownership only changes through transfer.
  • Exactly one owner per team. teams.owner_id and the owner's membership row are kept in lockstep inside a single transaction during transfer.
  • You cannot change your own role. This is blocked in the team controller regardless of your role.
  • Admins manage members but not the owner. An admin can invite, re-role, and remove members, but cannot affect the owner, billing, or company deletion.
  • The owner cannot simply leave. Attempting to leave as the owner is rejected with a prompt to transfer ownership first. See Invitations for the leave and transfer flows.

Assignable roles

When inviting or re-roling a member, only admin, member, and viewer are assignable. The value owner is never accepted by invite, add-member, or role-change operations β€” an invalid or owner role silently falls back to member. Becoming owner happens only through ownership transfer.

Next Steps