Access Roles is a feature of the Enterprise Edition. In the Community Edition and on the Free
and Startup plan in the Cloud you can invite unlimited organization members as
Owner.Role hierarchy
Here are the different access permissions, ranked from highest to lowest access:- Owner - Full organizational control
- Manager - Management access with some restrictions
- Billing - Billing and payment management only
- Member - Basic access to assigned projects
Role Permissions and Privilege Escalation Prevention
To prevent privilege escalation, the following rules apply:-
Owners can:
- Invite users as owners, managers, or members
- Assign roles up to owner level
-
Managers can:
- Invite users only as members
- Assign roles up to member only, not manager or owner
-
Members cannot:
- Invite users
- Assign roles
Organization-level roles
All users and their organization-level roles are listed in Organization Settings > Access Control. Users can hold any of the following org-level roles:Owner
- Have full access to the organization, its data, and settings
- Can perform Team Admin actions without needing to join the team
- Can manage all aspects of the organization including billing, integrations, and member management
Manager
- Have full management access to all teams and projects
- Can manage the organization’s membership (but can only invite or assign users as members)
- Can perform Team Admin actions without needing to join the team
- Cannot change other organization settings like billing or delete the organization
Billing
- Can manage payment and compliance details in the organization
- Have access to billing settings and subscription management
- Cannot access other organizational data or settings
Member
- Can view most data in the organization and act in the projects they are members of
- Cannot create or join projects on their own and need to be assigned by owners or managers
- Have limited permissions that depend on their project-level access
Detailed permissions matrix
| Owner | Manager | Billing | Member | |
|---|---|---|---|---|
| Organization | ||||
| Update organization | ✅ | ❌ | ❌ | ❌ |
| Delete organization | ✅ | ❌ | ❌ | ❌ |
| Add new member | ✅ | ✅ | ❌ | ❌ |
| Delete member | ✅ | ✅ | ❌ | ❌ |
| Update member access | ✅ | ✅ | ❌ | ❌ |
| Update billing | ✅ | ✅ | ✅ | ❌ |
| Project | ||||
| Create project | ✅ | ✅ | ❌ | ❌ |
| Update project name | ✅ | ✅ | ❌ | ✅** |
| Update project recontact options | ✅ | ✅ | ❌ | ✅** |
| Update look & feel | ✅ | ✅ | ❌ | ✅** |
| Update survey languages | ✅ | ✅ | ❌ | ✅** |
| Delete project | ✅ | ✅ | ❌ | ❌ |
| Surveys | ||||
| Create new survey | ✅ | ✅ | ❌ | ✅* |
| Edit survey | ✅ | ✅ | ❌ | ✅* |
| Delete survey | ✅ | ✅ | ❌ | ✅* |
| View survey results | ✅ | ✅ | ❌ | ✅ |
| Response | ||||
| Delete response | ✅ | ✅ | ❌ | ✅* |
| Add tags on response | ✅ | ✅ | ❌ | ✅* |
| Edit tags on response | ✅ | ✅ | ❌ | ✅* |
| Download survey responses (CSV) | ✅ | ✅ | ❌ | ✅* |
| Actions | ||||
| Create action | ✅ | ✅ | ❌ | ✅* |
| Update action | ✅ | ✅ | ❌ | ✅* |
| Delete action | ✅ | ✅ | ❌ | ✅* |
| API keys | ||||
| Create API key | ✅ | ✅ | ❌ | ✅** |
| Update API key | ✅ | ✅ | ❌ | ✅** |
| Delete API key | ✅ | ✅ | ❌ | ✅** |
| Tags | ||||
| Create tags | ✅ | ✅ | ❌ | ✅* |
| Update tags | ✅ | ✅ | ❌ | ✅* |
| Delete tags | ✅ | ✅ | ❌ | ✅** |
| Contacts | ||||
| Delete contact | ✅ | ✅ | ❌ | ✅* |
| Integrations | ||||
| Manage integrations | ✅ | ✅ | ❌ | ✅* |
Best practices
- Principle of least privilege: Assign users the minimum role necessary for their responsibilities
- Regular audits: Periodically review organization members and their roles
- Owner role: Limit the number of owners to reduce security risk
- Manager role: Use for team leads who need to manage projects but not organizational settings