Roles and permissions
Assign one or more roles to a user to control what they can see and do. A role is a
named bundle of permissions; a permission is a single domain.action capability such as
hardware.assign. You grant access by ticking roles on the user's form — there are no
per-user permission toggles.
The platform ships five fixed roles. You can't create, rename, or edit roles or their permission sets from the admin console, so this page focuses on choosing the right role for a person and applying it.
:::note Before you begin
- You need an admin role — Super admin, IT admin, or Admin — to open the admin console and reach People → Users.
- The person already has a user account in your workspace. To add one, see Users and teams.
- Only a Super admin can offboard another Super admin. :::
The five roles
Each role's label, who it's for, and whether it reaches the admin console:
| Role | Label in the UI | For | Admin console |
|---|---|---|---|
super-admin | Super admin | The workspace owner. Full access, including Settings and GDPR erasure. | Yes |
it-admin | IT admin | IT staff who run the asset register day to day. Everything except Settings and GDPR erasure. | Yes |
admin | Admin | HR and people-ops staff. Users, request approvals, GDPR export, and read-only asset views. | Yes |
manager | Manager | Team leads. View their reports' equipment and approve their requests. | No — uses the My portal |
employee | Employee | Everyone else. Request equipment and browse the catalog. | No — uses the My portal |
Manager and Employee don't open the admin console. They work entirely in the
My portal. Reaching /admin requires Super
admin, IT admin, or Admin.
A new user with no role ticked is created as an Employee.
What each role can do
Permissions are grouped by domain. The table below lists the actions each role holds per domain. Super admin holds every permission and is omitted for brevity.
| Domain | IT admin | Admin | Manager | Employee |
|---|---|---|---|---|
| Users | View, Create, Update, Delete, Import | View, Create, Update, Import | — | — |
| Hardware | View, Create, Update, Delete, Assign, Recover, Import | View | View | — |
| Software | View, Create, Update, Delete, Assign, Revoke, Import | View | View | — |
| Catalog | View, Create, Update, Delete | View | View | View |
| Requests | View, View own, Create, Approve, Reject, Fulfill, Cancel | View, Approve, Reject | View, View own, Create, Approve, Reject, Cancel | Create, View own, Cancel |
| Vendors | View, Manage | View | — | — |
| Locations | View, Manage | View | — | — |
| Categories | View, Manage | View | — | — |
| Audit log | View | View | — | — |
| GDPR | View, Export | View, Export | — | — |
| Settings | View | — | — | — |
Two capabilities are reserved for Super admin only and appear in no other role:
| Permission | What it gates |
|---|---|
settings.manage | Changing workspace settings (branding, security policy, integrations, and the rest of Settings). IT admin can view Settings but not save changes. |
gdpr.erase | Erasing a person's personal data for a GDPR request. Other roles can view and export, but only Super admin can erase. |
To see a role's full permission set in the console, open a user's Edit form, find the Roles & permissions card, and select a role row. It expands to list every domain the role touches and the actions it grants.
Assign roles to a user
You set roles from the user form. A user can hold several roles at once — their effective permissions are the union of every assigned role.
- Open People → Users in the sidebar and select the person, or select Add user to create one.
- On the form, find the Roles & permissions card in the right column.
- Tick each role to grant. Select a role's name to expand its permission list if you want to confirm what it covers.
- Select Save changes (or Create user).
The user's detail page then shows the assigned roles as indigo badges under Roles.
Roles control access only. They don't move equipment or send messages — assigning the IT admin role doesn't assign any assets, and removing it doesn't recover any.
Change or remove a role
To change someone's access, open their Edit form, adjust the ticked roles, and save. Removing every role leaves the user as a plain authenticated user with the Employee permission floor.
When you change a user's roles or set their status to anything other than Active, the platform immediately signs out every open browser session for that user. They land on the sign-in page on their next request, so revoked access takes effect at once rather than when their session would have expired.
Roles granted by your identity provider (SCIM)
If you provision users with SCIM, you can map an identity-provider group to an OnTrackio role so membership changes apply roles automatically. Configure the mappings under Settings → Integrations → SCIM Provisioning.
A role's origin is tracked per user:
| Provenance | Meaning | Behaviour on group change |
|---|---|---|
| Manual | An admin ticked the role on the user form. | Never auto-revoked. Survives SCIM group churn. |
| SCIM | The role came from a SCIM group → role mapping. Shown with a via SCIM badge on the user's Roles card. | Auto-granted when the user joins a mapped group; auto-revoked when they leave it or the mapping is deleted. |
To pin a SCIM-granted role so it can't be auto-revoked, open the user's Edit form and select Save changes without changing the roles. Saving re-tags every role on that user as manual, which locks them against future SCIM membership changes.
For the full setup, see SCIM provisioning.
Verify
- The user's detail page lists the expected roles as badges under Roles.
- Admin roles can open the admin console; Manager and Employee are redirected to the My portal.
- A role you removed no longer appears on the user, and the person is signed out of any open sessions.
Troubleshooting
| Symptom | What to do |
|---|---|
A teammate can't reach /admin | Grant Super admin, IT admin, or Admin. Manager and Employee use the My portal only. |
| Save changes rejects the role | The form accepts only the five built-in role names. You can't type a custom role; tick one from the list. |
| An admin can save Settings but a colleague can't | Saving Settings needs Super admin (settings.manage). IT admin can view Settings but not save. |
| The GDPR erase action is greyed out | Erasure is Super admin only (gdpr.erase). Other roles can still view and export. |
| You can't offboard a teammate who is a Super admin | Only a Super admin can offboard another Super admin. Ask one to do it, or grant yourself the role first. |
| You can't delete your own account | The console blocks deleting the account you're signed in as. Have another admin do it. |
| A role shows a via SCIM badge you didn't add | It was granted by a SCIM group mapping. Re-save the user to lock it, or remove the mapping under Settings → Integrations → SCIM Provisioning. |