Roles & Permissions
Every team member has exactly one role: owner, admin, member, or viewer. The role is the single source of truth for what that person can do β it is read from the membership record only and is independent of any platform-level admin status.
The four roles
- Owner β Full control. Manages billing, the team, ownership transfer, and company deletion, in addition to all resources. There is exactly one owner per team.
- Admin β Manages members and all shared resources, but cannot touch billing, transfer ownership, or delete the company.
- Member β Manages all shared resources (monitors, servers, status pages, alerts, observability, incidents). Cannot manage members or billing.
- Viewer β Read-only. Can view all the team's resources but cannot change anything.
Capability matrix
Reads require team membership only β any role, including viewer, can view the team's resources. Mutations require the matching capability.
| Capability | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View resources (read) | β | β | β | β |
| Manage monitors | β | β | β | β |
| Manage servers | β | β | β | β |
| Manage status pages | β | β | β | β |
| Manage alerts | β | β | β | β |
| Manage observability | β | β | β | β |
| Manage incidents | β | β | β | β |
| Manage team (invite / change role / remove member) | β | β | β | β |
| Manage billing | β | β | β | β |
| Transfer ownership | β | β | β | β |
| Delete company | β | β | β | β |
The six resource capabilities β manage_monitors, manage_servers, manage_status_pages, manage_alerts, manage_observability, manage_incidents β are granted as a group to every non-viewer role. Viewer gets none of them.
What each capability allows
- manage_team β Send invitations, change another member's role, and remove members. Held by owner and admin.
- manage_billing β View and change the subscription, payment method, and top-ups. Owner only.
- transfer_ownership β Hand ownership to another existing member. Owner only.
- delete_company β Delete the team and its resources. Owner only.
Owner protection invariants
The owner is special and is protected by rules enforced at the data layer, not just the UI:
- The owner cannot be demoted or removed. Role changes and member removal refuse to act on the owner. Ownership only changes through transfer.
- Exactly one owner per team.
teams.owner_idand the owner's membership row are kept in lockstep inside a single transaction during transfer. - You cannot change your own role. This is blocked in the team controller regardless of your role.
- Admins manage members but not the owner. An admin can invite, re-role, and remove members, but cannot affect the owner, billing, or company deletion.
- The owner cannot simply leave. Attempting to leave as the owner is rejected with a prompt to transfer ownership first. See Invitations for the leave and transfer flows.
Assignable roles
When inviting or re-roling a member, only admin, member, and viewer are assignable. The value owner is never accepted by invite, add-member, or role-change operations β an invalid or owner role silently falls back to member. Becoming owner happens only through ownership transfer.
Next Steps
- Invitations - Inviting members and the accept flow
- Seats & Billing - How seat limits and plans work
- Teams Overview - Company sub-accounts concept