Roles are the access levels of a user in a workspace. Below is a summary of the roles and their permissions.
| Role | Description |
|---|
owner | Complete control over the workspace; exactly one per workspace |
admin | Administrative and application access to the workspace; is subordinate to the owner |
member | Application access to the workspace, but no administrative privileges |
Admin permissions
Owners and admins hold administrative privileges, granting them the following permissions, which are unavailable to members:
API Keys
- Create a new API key
- Delete an existing API key
Groups
- Create a new group
- Update an existing group
- Delete an existing group
- Move a device to a different group
Invites
- Send an invite
- Resend an invite
- Revoke an invite
Members
- Suspend a member
- Update another member’s role
Workspace
Of course, owners have some special immunity from the above permissions to prevent unwanted privilege escalation:
- Owners cannot be suspended
- Owners cannot have their role changed by another user
Owner permissions
A workspace must have exactly one owner. As such, owners cannot leave their workspace or be suspended.
However, owners can transfer ownership to another member. Thus, in addition to the admin permissions above, owners also have a special permission for transferring workspace ownership to another member.
Member permissions
Members hold application access to the workspace but no administrative privileges.
We won’t detail every permission here — suffice it to say, members can perform any action that is not administrative or owner-only. This includes creating devices, deploying configurations, etc. Last modified on May 28, 2026
