Roles and permissions
Understand CloudSignal team roles and what each role can do.
CloudSignal uses role-based access control to manage what team members can do. Use this reference to pick the right role for each member and to verify what actions each role permits.
Roles overview
| Role | Description |
|---|---|
| Owner | Full control over the organization |
| Admin | Full access to MQTT resources and team management |
| Member | Can create and manage MQTT resources |
| Viewer | Read-only access to all resources |
Detailed permissions
MQTT resources
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View MQTT users | Yes | Yes | Yes | Yes |
| Create MQTT users | Yes | Yes | Yes | No |
| Edit MQTT users | Yes | Yes | Yes | No |
| Delete MQTT users | Yes | Yes | Yes | No |
| View ACL rules | Yes | Yes | Yes | Yes |
| Create ACL rules | Yes | Yes | Yes | No |
| Edit ACL rules | Yes | Yes | Yes | No |
| Delete ACL rules | Yes | Yes | Yes | No |
Monitoring
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View active sessions | Yes | Yes | Yes | Yes |
| View session history | Yes | Yes | Yes | Yes |
| Disconnect sessions | Yes | Yes | Yes | No |
| Export data | Yes | Yes | Yes | Yes |
Team management
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View team members | Yes | Yes | Yes | Yes |
| Invite members | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Remove members | Yes | Yes | No | No |
Organization settings
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View organization settings | Yes | Yes | Yes | Yes |
| Edit organization name | Yes | Yes | No | No |
| Delete organization | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
Billing
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View current plan | Yes | Yes | Yes | Yes |
| View usage | Yes | Yes | Yes | Yes |
| Change plan | Yes | No | No | No |
| Update payment method | Yes | No | No | No |
| View invoices | Yes | Yes | No | No |
Workspaces
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View all workspaces | Yes | Yes | Assigned only | Assigned only |
| Create workspaces | Yes | Yes | No | No |
| Edit workspaces | Yes | Yes | No | No |
| Delete workspaces | Yes | Yes | No | No |
Members and Viewers can only see workspaces they've been assigned to.
Role details
Owner
The organization creator is automatically the Owner. There can only be one Owner.
| Capability | Detail |
|---|---|
| Full access | Everything in the organization |
| Delete organization | Yes |
| Transfer ownership | Yes (to another Admin) |
| Manage billing and payment | Yes |
Be careful with Owner actions. Deleting the organization is irreversible.
Admin
Admins have broad access but cannot perform destructive organization-level actions.
| Capability | Detail |
|---|---|
| Full access to MQTT resources | Yes |
| Invite and manage team members | Yes |
| Delete organization | No |
| Manage billing | No |
Best for: Co-founders, senior engineers, team leads
Member
Members can work with MQTT resources but cannot manage the team or organization.
| Capability | Detail |
|---|---|
| Create, edit, delete MQTT users | Yes |
| Create, edit, delete ACL rules | Yes |
| View and disconnect sessions | Yes |
| Invite team members | No |
| Change organization settings | No |
Best for: Developers, DevOps engineers, QA
Viewer
Viewers have read-only access for monitoring and observation.
| Capability | Detail |
|---|---|
| View all MQTT resources | Yes |
| View sessions and history | Yes |
| Export data for analysis | Yes |
| Create, edit, or delete | No |
Best for: Stakeholders, support staff, auditors
Changing roles
Upgrade a role
- Go to Settings → Team
- Find the member
- Click the role dropdown
- Select the new (higher) role
Downgrade a role
- Go to Settings → Team
- Find the member
- Click the role dropdown
- Select the new (lower) role
- Member loses access to actions immediately
Role changes take effect immediately. The member doesn't need to log out and back in.
Transferring ownership
Only the Owner can transfer ownership:
- Go to Settings → Organization
- Click Transfer Ownership
- Select the new Owner (must be an Admin)
- Confirm the transfer
- You become an Admin
Ownership transfer cannot be undone. The new Owner must manually transfer back if needed.
Best practices
Principle of least privilege
Give people only the access they need:
Developer needs to create MQTT users -> Member
Developer only needs to monitor -> ViewerRegular audits
Periodically review team access:
- Remove members who no longer need access
- Downgrade roles if responsibilities changed
- Ensure only necessary people have Admin
Multiple admins
Have at least two Admins:
- Ensures continuity if one leaves
- Provides backup for urgent changes
- Don't rely on single point of access
Viewer for external access
Use Viewer role for:
- Temporary consultants
- External auditors
- Stakeholders who need visibility
Next steps
- Inviting members - Add people to your team
- Team overview - Manage your team