Overview

Control what each team member can do with three distinct roles. Owners and Admins manage the account, Editors work with validations, and Viewers have read-only access scoped to their assigned projects.

How It Works

Role Permissions

| Permission | Owner | Admin | Editor | Viewer |
|———–|——-|——-|——–|——–|
| Validate | Yes | Yes | Yes | Yes |
| View history | Yes | Yes | Yes | Scoped |
| Manage projects | Yes | Yes | Yes | No |
| Export data | Yes | Yes | Yes | Scoped |
| Schema changes | Yes | Yes | Yes | Scoped |
| AI readiness | Yes | Yes | Yes | Scoped |
| Team management | Yes | Yes | No | No |
| White-label | Yes | Yes | No | No |
| Billing | Yes | No | No | No |

Tier Availability

| Tier | Available |
|——|———–|
| Agency | Yes |
| Enterprise | Yes |

Related Features

– Team Seats: Add members to assign roles
– Viewer Project Scoping: Further restrict Viewer access
– Audit Trail: Track actions by role (Enterprise)

Mini-Tutorial

Step 1: Understand Your Team’s Needs

– Owner: Account creator (automatic)
– Admin: Trust someone to manage account settings and billing
– Editor: Team members who validate and manage projects
– Viewer: Clients or read-only observers (scope to specific projects)

Step 2: Invite with Appropriate Role

When inviting members, choose the least privileged role they need.

Step 3: Change Roles If Needed

Go to Team Members, find the user, and click to change their role. Changes take effect immediately.

Step 4: Monitor with Audit Trail (Enterprise)

Enterprise users can view audit logs to see which role performed which actions for accountability.

Technical Details

Role Permissions Matrix

| Permission | Owner | Admin | Editor | Viewer |
|———–|——-|——-|——–|——–|
| Core Validation | | | | |
| Validate URLs | ✓ | ✓ | ✓ | ✓ |
| Bulk validation | ✓ | ✓ | ✓ | ✓ |
| View validation history | ✓ | ✓ | ✓ | Scoped |
| | | | | |
| Projects & Data | | | | |
| Create projects | ✓ | ✓ | ✓ | ✗ |
| Delete projects | ✓ | ✓ | ✓ | ✗ |
| Export data | ✓ | ✓ | ✓ | Scoped |
| Generate reports | ✓ | ✓ | ✓ | Scoped |
| | | | | |
| Team & Admin | | | | |
| Invite members | ✓ | ✓ | ✗ | ✗ |
| Remove members | ✓ | ✓ | ✗ | ✗ |
| Change member roles | ✓ | ✓ | ✗ | ✗ |
| View audit trail | ✓ | ✓ | ✗ | ✗ |
| | | | | |
| Integrations | | | | |
| Connect GSC | ✓ | ✓ | ✓ | ✗ |
| Manage webhooks | ✓ | ✓ | ✗ | ✗ |
| Create API keys | ✓ | ✗ | ✗ | ✗ |
| | | | | |
| Account Settings | | | | |
| White-label settings | ✓ | ✓ | ✗ | ✗ |
| Billing & plans | ✓ | ✗ | ✗ | ✗ |

Update Member Role

PUT /api/v1/team/member/user_456/role
{
  "role": "admin"
}

Response:

{
  "id": "user_456",
  "email": "[email protected]",
  "role": "admin",
  "updated_at": "2025-03-22T14:32:00Z"
}

Viewer Scoping

Viewers can be further restricted to specific projects:

PUT /api/v1/team/member/user_789/project
{
  "project_ids": ["proj_abc", "proj_def"]
}

Viewer now sees only those two projects in their dashboard.

References

– NIST RBAC Standard (SP 800-192)
– OWASP Authorization Cheat Sheet
– Principle of Least Privilege
– ValidGraph RBAC Documentation