Every account belongs to a team, and every member of a team has one of three roles. The role controls what the dashboard, the mobile apps, and the API let you do.
Member
- View organizations, tenants, resources, tools, and permission rules
- View approvals, execution activity, and your own profile
- Cannot create or modify policy data, API keys, settings, billing, SSO, or SCIM
Admin
- Everything a member can do
- Create and edit organizations, tenants, resources, tools, and permission rules
- Manage API keys and webhook settings
- Configure approver groups for two-level approvals, including adding and removing members directly
- Cannot manage billing, SSO, or SCIM (so an admin cannot map an Entra group to an approver group, since that is part of SSO config)
Owner
- Everything an admin can do
- Buy credits, view billing history, manage payment methods
- Configure Enterprise SSO and SCIM provisioning, including mapping Entra groups to approver groups
- Manage the Verified Partner Program record for the team
- Promote or demote other members
When you sign up directly, you are the owner of a singleton team you fully control. When you sign in for the first time via your company SSO, you are provisioned just-in-time onto your company team as a member. Your owner can promote you from the Members page.
The role you have is independent of how you sign in. Passkey users and SSO users follow the same role rules and see the same UI for the role they have.