Role-based access control (RBAC) lets you assign permissions to team members based on their responsibilities. Each role has specific capabilities.
Available Roles
Role Overview
| Role | Description |
|---|---|
| Owner | Complete control, billing access |
| Admin | Full access except ownership transfer |
| Editor | Manage websites and data |
| Viewer | Read-only access |
Role Hierarchy
Owner (highest)
└── Admin
└── Editor
└── Viewer (lowest)
Higher roles include all permissions of lower roles.
Permission Matrix
Core Permissions
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View analytics | ✓ | ✓ | ✓ | ✓ |
| Export data | ✓ | ✓ | ✓ | ✓ |
| Create goals | ✓ | ✓ | ✓ | ✗ |
| Manage websites | ✓ | ✓ | ✓ | ✗ |
| Invite members | ✓ | ✓ | ✗ | ✗ |
| Remove members | ✓ | ✓ | ✗ | ✗ |
| Manage billing | ✓ | ✗ | ✗ | ✗ |
| Transfer ownership | ✓ | ✗ | ✗ | ✗ |
| Delete team | ✓ | ✗ | ✗ | ✗ |
Analytics Permissions
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View dashboard | ✓ | ✓ | ✓ | ✓ |
| View real-time | ✓ | ✓ | ✓ | ✓ |
| View sessions | ✓ | ✓ | ✓ | ✓ |
| View heatmaps | ✓ | ✓ | ✓ | ✓ |
| Download reports | ✓ | ✓ | ✓ | ✓ |
| Create filters | ✓ | ✓ | ✓ | ✗ |
| Save views | ✓ | ✓ | ✓ | ✗ |
Configuration Permissions
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| Add websites | ✓ | ✓ | ✓ | ✗ |
| Edit website settings | ✓ | ✓ | ✓ | ✗ |
| Delete websites | ✓ | ✓ | ✗ | ✗ |
| Create goals | ✓ | ✓ | ✓ | ✗ |
| Delete goals | ✓ | ✓ | ✗ | ✗ |
| Manage integrations | ✓ | ✓ | ✗ | ✗ |
| API key management | ✓ | ✓ | ✗ | ✗ |
Role Details
Owner
The team owner has complete control:
Can do everything including:
- Access and manage billing
- Transfer ownership to another admin
- Delete the entire team
- All admin, editor, viewer permissions
Limitations:
- Only one owner per team
- Cannot remove themselves
- Must transfer before leaving
Admin
Admins have full operational access:
Can:
- Manage all team members
- Configure all settings
- Access all features
- Create/delete websites
- Manage integrations
Cannot:
- Access billing
- Transfer ownership
- Delete the team
Editor
Editors can modify data and settings:
Can:
- View all analytics
- Add and configure websites
- Create and manage goals
- Set up funnels
- Configure tracking
Cannot:
- Invite or remove members
- Delete websites
- Manage integrations
- Access team settings
Viewer
Viewers have read-only access:
Can:
- View all analytics data
- Access dashboards
- Export reports
- Watch session replays
- View heatmaps
Cannot:
- Make any changes
- Create goals or funnels
- Add websites
- Modify any settings
Assigning Roles
When Inviting
Select role during invitation:
- Click "Invite Member"
- Enter email
- Choose role from dropdown
- Send invitation
Changing Roles
To change an existing member's role:
- Go to Settings → Team
- Find the member
- Click "Edit"
- Select new role
- Save changes
Changes take effect immediately.
Custom Roles
Enterprise PlanEnterprise plans can create custom roles:
Creating Custom Roles
- Go to Settings → Team tab
- Click "Create Role"
- Name the role
- Select permissions
- Save
Example Custom Roles
| Custom Role | Use Case | Permissions |
|---|---|---|
| Analyst | Data team | View all + export |
| Manager | Department heads | View + create goals |
| Developer | Technical team | View + API access |
| Auditor | Compliance | View + audit logs |
Assigning Custom Roles
Use like built-in roles:
- Invite or edit member
- Select custom role
- Permissions apply
Website-Level Access
Scale PlanRestrict access to specific websites:
How It Works
Team: Acme Inc
Websites:
├── marketing.acme.com (All members)
├── sales.acme.com (Sales team only)
└── internal.acme.com (Admins only)
Setting Up
- Go to Settings → Team → Members
- Click member name
- Select "Website Access"
- Choose allowed websites
- Save
Use Cases
| Scenario | Configuration |
|---|---|
| Department separation | Each team sees own sites |
| Client privacy | Staff only see assigned clients |
| Sensitive data | Restrict to admins |
Best Practices
Principle of Least Privilege
Assign minimum necessary access:
- Start with Viewer
- Upgrade as needed
- Review periodically
Role Assignment Guidelines
| Team Member | Recommended Role |
|---|---|
| CEO/Executive | Viewer or Admin |
| Marketing Manager | Editor |
| Data Analyst | Viewer |
| IT Administrator | Admin |
| External Partner | Viewer (restricted) |
| Developer | Editor or Admin |
Regular Audits
Review access periodically:
- Check member roles quarterly
- Remove unused accounts
- Verify role appropriateness
Troubleshooting
Can't Access Feature
If a member can't access something:
- Check their current role
- Verify permission requirements
- Upgrade role if appropriate
Can't Change Roles
If you can't modify roles:
- Verify you're Admin or Owner
- Check if targeting the Owner
- Ensure member exists
Need Custom Permissions
If built-in roles don't fit:
- Upgrade to Enterprise for custom roles
- Use website-level restrictions
- Contact support for options
Security Considerations
Before Assigning Admin
Consider:
- Business need for access
- Trust level
- Training completed
- Responsibilities
Removing Access
When someone leaves:
- Remove immediately
- Don't just downgrade
- Review their past actions
- Update shared credentials
Audit Trail
All role changes are logged:
- Who made the change
- What changed
- When it happened