Roles & permissions
Changing roles, owner-specific rules, and removing users
SigSentry has four roles: owner, admin, member, and viewer. This page covers the rules around assigning and changing roles, and what happens when you remove a user. For the full permission matrix — exactly which actions each role can perform — see Roles & permissions in concepts.
The four roles at a glance
| Role | Summary |
|---|---|
| Owner | Full control of the organization. Set when the organization is created; only one per org. |
| Admin | Manage team and project configuration. Cannot delete projects or transfer ownership. |
| Member | Run analyses and configure projects. Cannot manage team or billing. |
| Viewer | Read-only access. Can browse analyses and configuration but cannot change anything or run analyses. |
For the action-by-action matrix, see /guide/concepts/roles-permissions.
Changing a role
Roles are changed inline from the Members table on the Organization → Team page. The role column shows a dropdown for users you're allowed to edit.
Who can change roles
| Acting role | Can change roles for |
|---|---|
| Owner | Anyone except themselves and any other owner |
| Admin | Any member, viewer, or other admin — not the owner, not themselves |
| Member | Nobody |
| Viewer | Nobody |
A role change takes effect immediately. The affected user's next action is gated by their new role; if they're currently in the dashboard, the next page load reflects the change.
Every role change is recorded in the Audit log with the actor, the affected user, and the old and new roles.
Owner-specific rules
The owner role has a few hard restrictions that prevent you from locking yourself out of your own organization:
- You cannot invite someone as owner. Owner is set exclusively when the organization is created. Invitations only allow admin, member, or viewer.
- The owner's role cannot be changed from the dashboard. The dropdown is disabled in the Members table for the owner row.
- There is exactly one owner per organization. No co-owners, no multiple owners.
- Ownership transfer requires support. If you need to hand the organization to a different person — for example, the original owner is leaving the company — contact support. Transfers are done manually to prevent accidental hand-offs.
If you're the sole admin or owner and you remove yourself or change
your own role, the action is blocked. There must always be at least
one user with team:manage permission.
Removing a user
Removing a user revokes their access to the organization immediately. You'll find the Remove action in the Actions column of the Members table.
Click Remove
A confirmation dialog appears. It tells you the user's name, email, and what removal does — read it before confirming.
Confirm
After confirmation, the user is signed out of any active sessions and can no longer log in to your organization. Their row disappears from the Members table.
What happens to their work
| Resource | Effect of removal |
|---|---|
| Past analyses they triggered | Stay in the project; the actor name persists in the analysis record |
| Projects they created | Stay in the organization — projects are owned by the organization, not the individual |
| API keys they created | Continue to work — keys are scoped to the organization, not the user. Rotate them separately if you want them revoked |
| Channels, sources, watchdog rules they configured | Stay in place; their resources are not deleted |
| Audit-log entries for actions they took | Retained per your plan's audit-log retention policy |
In short: removing a user is a revocation of access, not a deletion of their work. If you need to clean up resources they owned, do that explicitly before or after removal.
Cannot remove
- The owner — see ownership transfer above
- Yourself — sign out instead, or have another admin remove you if you're truly leaving the organization
Related
- Invitations — adding users
- Audit log — reviewing role and member changes
- API keys — keys are revoked separately from users