Role-based access control (RBAC) lets you assign permissions to team members based on their responsibilities. Each role has specific capabilities.
Available Roles
Role Overview
| Role | Description |
|---|---|
| Owner | Complete control, billing access |
| Admin | Full access except billing and ownership |
| Editor | Manage websites and data |
| Viewer | Read-only access |
Role Hierarchy
Owner (highest)
└── Admin
└── Editor
└── Viewer (lowest)
Higher roles include all permissions of lower roles.
Permission Matrix
Core Permissions
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View analytics | ✓ | ✓ | ✓ | ✓ |
| Export data | ✓ | ✓ | ✓ | ✗ |
| Manage goals & funnels | ✓ | ✓ | ✓ | ✗ |
| Manage websites | ✓ | ✓ | ✓ | ✗ |
| Invite members | ✓ | ✓ | ✗ | ✗ |
| Remove members | ✓ | ✓ | ✗ | ✗ |
| Manage billing | ✓ | ✗ | ✗ | ✗ |
| Transfer ownership | ✓ | ✗ | ✗ | ✗ |
| Delete team | ✓ | ✗ | ✗ | ✗ |
Analytics Permissions
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View dashboard | ✓ | ✓ | ✓ | ✓ |
| View live view | ✓ | ✓ | ✓ | ✓ |
| View sessions | ✓ | ✓ | ✓ | ✓ |
| View heatmaps | ✓ | ✓ | ✓ | ✓ |
| Export reports | ✓ | ✓ | ✓ | ✗ |
Live View, session replay, and heatmaps are available on Pro and higher plans. Once a plan includes a feature, every role on the team can view it, but exporting data is limited to Editor and above.
Configuration Permissions
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| Add websites | ✓ | ✓ | ✓ | ✗ |
| Edit website settings | ✓ | ✓ | ✓ | ✗ |
| Delete websites | ✓ | ✓ | ✗ | ✗ |
| Manage goals & funnels | ✓ | ✓ | ✓ | ✗ |
| View API keys | ✓ | ✓ | ✓ | ✗ |
| Create and manage API keys | ✓ | ✓ | ✗ | ✗ |
Role Details
Owner
The team owner has complete control:
Can do everything including:
- Access and manage billing
- Transfer ownership to another member
- Delete the entire team
- All admin, editor, viewer permissions
Notes:
- A team can have up to 3 owners
- A sole owner must transfer ownership before leaving the team
Admin
Admins have full operational access:
Can:
- Manage all team members (except owners)
- Configure all website and team settings
- Create and delete websites
- Manage goals, funnels, and API keys
Cannot:
- Manage billing
- Transfer ownership
- Delete the team
Editor
Editors can modify data and settings:
Can:
- View all analytics
- Add and configure websites
- Create and manage goals and funnels
- Configure tracking
- View API keys
Cannot:
- Invite or remove members
- Delete websites
- Create or manage API keys
Viewer
Viewers have read-only access:
Can:
- View all analytics data
- Access dashboards and live view
- View session replays and heatmaps (where the plan includes them)
Cannot:
- Make any changes
- Manage goals or funnels
- Add websites
- Export data
- Modify any settings
Assigning Roles
When Inviting
Select a role during invitation:
- Go to Settings → Workspace → Members
- Click Invite Members
- Enter one or more email addresses
- Choose a role (Admin, Editor, or Viewer)
- Send the invitation
Owners can assign any role; admins can assign Editor or Viewer.
Changing Roles
To change an existing member's role:
- Go to Settings → Workspace → Members
- Find the member
- Open the role menu next to their name
- Select the new role
Changes take effect immediately.
Website-Level Access for Clients
Scale PlanOn the Scale plan, the agency dashboard lets you give individual clients read-only access to only the websites you assign them, through a separate client portal. This is the supported way to restrict visibility to specific websites.
Regular team members (Owner, Admin, Editor, Viewer) see every website in the workspace based on their role. Per-website restrictions apply to agency client portal users, not to standard team roles.
To set this up, open the Agency section and assign websites to each client. See Agency Dashboard Setup for the full walkthrough.
Best Practices
Principle of Least Privilege
Assign the minimum necessary access:
- Start with Viewer
- Upgrade as needed
- Review periodically
Role Assignment Guidelines
| Team Member | Recommended Role |
|---|---|
| CEO/Executive | Viewer or Admin |
| Marketing Manager | Editor |
| Data Analyst | Viewer or Editor |
| IT Administrator | Admin |
| External Partner | Viewer |
| Developer | Editor or Admin |
Regular Audits
Review access periodically:
- Check member roles quarterly
- Remove unused accounts
- Verify role appropriateness
Troubleshooting
Can't Access a Feature
If a member can't access something:
- Check their current role
- Verify the permission requirements above
- Upgrade their role if appropriate
Can't Change Roles
If you can't modify roles:
- Verify you're an Admin or Owner
- Check whether you're trying to change an Owner (only an Owner can change another Owner)
- Ensure the member exists in the team
Security Considerations
Before Assigning Admin
Consider:
- Business need for access
- Trust level
- Responsibilities
Removing Access
When someone leaves:
- Remove them immediately
- Don't just downgrade
- Review their past actions
- Update shared credentials
Audit Trail
Role changes are recorded in the team audit log:
- Who made the change
- What changed
- When it happened