Skip to main content

Org Roles

Hub defines four platform-level roles that control what a user can do across the entire organization. These roles set the baseline — individual product permissions can further refine access.

The Four Roles

RoleManage UsersManage RolesView BillingView AuditScope
OwnerYesYesYesYesUnrestricted — full control over all settings and products
AdminYesNoNoYesUser management and product access, no billing or role definitions
MemberNoNoNoNoAccess to assigned products only, with product-specific permissions
ViewerNoNoNoNoRead-only access across assigned products

Owner

Owners have unrestricted access. They can manage users, roles, billing, and every product. Use this role for MSP business owners and senior leadership only.

  • Maximum 2 owners per organization
  • Can assign and revoke any role, including other owners
  • Full access to billing, invoices, and subscription management
  • Can enable or disable products for the organization

Admin

Admins handle day-to-day user management. They can invite users, grant product access, and view the audit log — but they cannot change billing settings or create new role definitions.

  • Can invite, deactivate, and manage users
  • Can grant and revoke product access
  • Can view (but not export) the audit log
  • Cannot access billing or subscription settings

Member

Members are your standard team users. They can access the products assigned to them and perform actions based on their product-specific permissions.

  • Access limited to products explicitly granted
  • Permissions within each product are configured separately
  • Cannot manage other users or view the audit log

Viewer

Viewers have read-only access. They can see data in their assigned products but cannot create, edit, or delete anything. Use this role for stakeholders who need visibility without the ability to make changes.

  • Read-only access to assigned products
  • Cannot create, edit, or delete records in any product
  • Useful for client liaisons, auditors, or reporting-only users

Assigning Roles

  1. Go to Settings > Users in Hub
  2. Click on a user's name
  3. Under Platform Role, select the new role
  4. Click Save

Role changes take effect immediately. The user's next API call or page navigation will reflect the new role.

💡Follow the principle of least privilege. Start users as Members with specific product access, and only elevate to Admin or Owner when necessary.

Role Inheritance Across Products

The platform role sets the ceiling for what a user can do. Within each product, permissions further refine access. For example:

  • A Member with psa.tickets.create can create tickets but nothing else in PSA
  • A Viewer can only read data, regardless of any product permissions assigned
  • An Admin gets user management capabilities but still needs product permissions for product-specific actions

This two-layer system (platform role + product permissions) gives you flexible, fine-grained control.