Every member of an organization has exactly one role. The role decides what they can see and what they can do across the organization and its projects.
There are five roles, from most powerful to least: Owner, Admin, Billing, Member, and Read-only. Pick the one that matches the smallest amount of access the person actually needs to do their job.
At a glance
| Role | Members | Billing | Security | Resources | Delete Org | Transfer Ownership |
|---|---|---|---|---|---|---|
| Owner | Full | Full | Full | Full | Yes | Yes |
| Admin | Full | Full | Full | Full | No | No |
| Billing | Full | Full | View | None | No | No |
| Technical | View | None | None | Partial | No | No |
| Read-Only | View | None | None | View | No | No |
Owner
Total control. Owners can:
- Transfer ownership to another member.
- Delete the organization.
- Change every other member's role, including making someone else an owner.
- Access every resource in every project, regardless of project assignment.
There must always be at least one owner. If you're the only owner and want to leave, you have to promote somebody else to owner first (see Transferring Ownership).
Each organization has exactly one owner at a time. Promoting someone to owner automatically demotes the current owner to admin.
Admin
An admin has the same access as an owner, with two important exceptions:
- An admin can't delete the organization.
- An admin can't change the role of an owner.
This is the right role for trusted senior colleagues - people who need broad operational access but shouldn't be able to dismantle the account. Most day-to-day organization management should be done by admins, leaving the owner role for one person who holds final authority.
Billing
The billing role is scoped purely to financial actions:
- Add or remove payment methods.
- Pay invoices.
- Request refunds.
- Add or use credits.
- View spend and invoice history.
Billing members can't order or operate servers, manage the team, or change security settings. Good fit for a finance teammate who needs to pay invoices and reconcile expenses without having any reach into operations.
Technical
The day-to-day operator role. A technical user can:
- Modify, access, and reinstall resources.
- See and act on resources, but only inside the projects they've been assigned to.
A technical user can't:
- Change billing details.
- Invite or remove other members.
- Modify organization-level security (like the 2FA requirement or claimed domains).
When you invite or edit a member, you pick which projects they can access. A member with no project assignments can't do anything useful - they'll see the organization in their switcher but won't have any projects to work in until you grant some.
Read-only
A read-only member sees everything a Technical Member would see in their assigned projects but can't make any changes. Every form, button, and action is locked.
Good fit for:
- Auditors or compliance reviewers.
- Read-replica monitoring tools that authenticate as a user.
- Stakeholders who want visibility without any risk of accidentally changing something.
How to change someone's role
You don't change a role from this page - you do it on the Team page:
- Find the member in the list.
- Click the pen button on the right side of their row.
- Pick the new role from the dropdown.
- Click the Save changes button.
The new role takes effect immediately. The member's existing session updates on its next request - they don't need to sign out and back in.
You need to be an owner or admin to change roles. Admins can't change an owner's role (only the owner can do that, by transferring ownership).
Picking the right role
- "They need to do everything a co-founder would do" > Admin.
- "They run our infrastructure and need to see and touch everything" > Admin.
- "They handle our finances and need to pay invoices, but not touch servers" > Billing.
- "They're a developer who works on certain projects but shouldn't see billing or security" > Member, assigned to the specific projects they work on.
- "An auditor needs read access for a compliance review" > Read-only.