Managing Team Roles & Permissions
Phase 9 — Security & Access Control · OpenFrame Onboarding
Who's on your team, and what can they do? This guide covers the people side of access control in OpenFrame — adding technicians, understanding the roles, and removing access when someone leaves. It pairs with AI Guardrails & Approval Policies (next), which controls what the AI can do on each person's behalf.
Before you start
- You need an Admin or Owner role.
- Find it under Settings → Employees & Permissions.
The roles
OpenFrame keeps roles deliberately simple:
- Owner — the account creator. Full control over the workspace, including billing and the things only an owner should touch. There's one, and it's set when the workspace is created.
- Admin — full operational access to run the platform: devices, scripts, monitoring, tickets, remote access, and settings. This is the role your technicians get.
When you invite someone, they come in as an Admin — that's the assignable role for team members. Owner stays with whoever created the workspace.
Add a technician
- Go to Settings → Employees & Permissions.
- Click Add Users (top right).
- In Add Employees, enter the person's email, leave the Role as Admin, and use Add More Users to invite several at once.
- Click Send Invites. They'll get an invitation email to register and set up their own login.
If you've connected an identity provider (Phase 8) with auto-provisioning on, people from your allowed domain can also be created automatically on first SSO sign-in — no manual invite needed.
Review who has access
The Employees & Permissions list shows every user with their Role and Status (Active / Deleted). Make this a habit — a quarterly look down the list catches the contractor who rolled off three months ago and still has Admin.
Click the arrow on any row to open that person's detail page (name, email, role, status).
Remove access
When someone leaves, kill their access promptly. Open the user's detail page → "…" menu → Delete. Their status flips to Deleted and they can no longer sign in.
Deprovisioning is the step teams forget. An old Admin account is exactly the kind of thing that turns into an incident — make removing access part of your offboarding checklist, not an afterthought.
Quick checklist
- Opened Settings → Employees & Permissions
- Understood Owner (creator) vs Admin (your team)
- Added technicians via Add Users → Send Invites
- Reviewed the list for stale or unexpected accounts
- Removed access for anyone who has left ("…" → Delete)
What's next
People are sorted. Next, control what the AI is allowed to do for them: AI Guardrails & Approval Policies sets the approval rules behind Mingo.
Based on OpenFrame v0.9.19. Roles and the permission model evolve between releases — what's in your console wins.
