Every member in your organisation holds exactly one role. Roles determine what each member can see and change across the control plane. Three roles ship today: Owner, Admin, and Viewer. This page documents what each can do so you can choose the right role when inviting someone.
You can't currently define custom roles; the three below are the entire vocabulary. If you need a permission slice that doesn't match any of them, surface that as feedback — it's on the roadmap.
The single human who signed the organisation up. Always exactly one per organisation.
What Owner can do:
- Everything Admin can do, plus:
- Delete the organisation (the terminal, cascading destructive action).
- Transfer ownership to another member (a separate deliberate flow).
Use Owner for: the founder of the team running IntelliAuth, the legal/billing-accountable person. Owner is durable on the human who signed up; you don't normally hand it out.
Full operational access to the organisation. Most platform operators are admins.
What Admin can do:
- Provision, suspend, resume, decommission, and recreate tenants.
- View, invite, edit, and remove members (except they can't remove or demote the Owner).
- Read and export the org audit feed.
- View the cross-tenant Identities aggregate.
- View plan + billing details and upgrade tiers (when Billing is wired).
- Edit organisation settings — name, slug (slug is immutable, but visible to all admins).
What Admin can't do:
- Delete the organisation. That's Owner-only.
- Transfer ownership. That's Owner-only.
Use Admin for: engineers, ops, customer success — anyone helping you run the platform day-to-day. Most members should be admins.
Viewer
Section titled “Viewer”Read-only access across the organisation. Useful for stakeholders who need visibility without the ability to change state.
What Viewer can do:
- See every page in the control plane (Dashboard, Tenants, Members, Identities, Audit, Settings, Billing).
- See historical events in the audit feed.
- Click through to a tenant's detail page and read its provisioning timeline.
What Viewer can't do:
- Provision, suspend, resume, decommission, or modify any tenant.
- Invite, remove, or edit members (including their own role — they can't promote themselves).
- Export audit entries (read in the UI is fine; download is restricted).
- Change anything in Settings or Billing.
Use Viewer for: leadership reviewing platform usage, junior team members ramping up, internal auditors, support engineers who only need to look at things.
Role-change cadence
Section titled “Role-change cadence”Roles can change after a member joins. From the Members page, click a member's row and pick a new role from the dropdown. The change takes effect immediately — the member's next action is gated by the new role's capabilities. The audit feed records the change with the old and new roles for post-hoc review.
Two constraints:
- Owner can't be assigned through the role dropdown. Owner is set at signup and transferred only through the explicit Transfer-ownership flow (Owner-only).
- A member can't change their own role. The platform refuses self-promotion; ask another member with the right role to make the change.
When an action is refused
Section titled “When an action is refused”If a member clicks a button they don't have the role for, the UI shows a small banner or toast explaining the action requires a higher role. No state is changed. The audit feed doesn't record refused attempts (only successful state changes land there).
The common cases:
- A viewer trying to provision a tenant. Banner: "This action requires Admin or higher."
- An admin trying to delete the organisation. Banner: "Only the Owner can delete the organisation."
- A member trying to change their own role. Banner: "Ask another member to change your role."
If you keep hitting role-gated banners, the right move is to ask whoever holds Owner or Admin to bump your role, or to do the action through their seat.