Organization management

Users

9min

Rollstack is designed with collaboration at its core, offering a structured RBAC system that caters to various needs and responsibilities within your organization. From managing content and syncs to overseeing users and billing, our platform ensures that every team member has the access they need to contribute effectively, without compromising on control or security.

This guide provides a detailed overview of the available roles within organizations, each tailored to a different level of responsibility and access. Whether you're adding destinations, managing data syncs, or overseeing the entire account, understanding these roles will help you maximize your team's productivity and safeguard your data.

By clearly defining what each role can and cannot do, we aim to empower our users to collaborate more efficiently while maintaining the integrity and security of their work. Read on to discover which role aligns with your needs and how you can leverage our platform's capabilities to enhance your team's collaboration.

All resources can be managed both at the user level and organization level.

Roles

There are three separate roles in Rollstack:

Owner

An Owner role encompasses all the permissions of an Admin, with the additional authority to manage billing information. This role is typically reserved for those responsible for the overall account and financial aspects of using the platform.

Admin

An Admin has all the capabilities of Members, with expanded permissions that include administrative tasks such as adding or deleting users, changing user roles, and managing data sources. This role is designed to facilitate the day-to-day management and governance of the platform at a higher level than Members.

For optimal security and accessibility, we recommend setting your connected data source admin as Rollstack admin. This ensures:

  • Credential Access: Admins can readily access and update relevant credentials within both systems as needed.
  • Security Integrity: The adherence to data security rules is seamlessly maintained.

Team Member

The Team member is focused on the operational aspects of managing content. Team members can add new destinations or manage existing ones, as well as add or manage their syncs. They also can manage resources shared with them, but only within the permissions (viewer or editor) granted by the resource sharer.

Permissions

Here is an overview of all the permissions for each user role.

Each permission implies that the operations are Create, Read, Update, Delete (CRUD)

Permission

Scope

Destinations & Syncs

all owned resources

This does not apply to shared resources with Viewer role

Users

Applies to User, User Roles, and User Invitations

Data sources

This can apply to both the organization-level data sources

& user-specific credentials

Billing

Can manage the organization's billing

For each role, here is the scope of each permission

Role

Destinations

Syncs

Users

Data Sources

Billing

Member

Admin

Owner



Managing Users

The following only applies to Admin & Owner roles.

You can manage access to your organization, including users and their respective roles, in the Organization page.

1

Click on Settings on the left panel

2

Click on the Organization tab

3

Go to the Members section

Document image


Here you can add/delete users, and modify their roles.

Domain Restriction

Organization administrators have the ability to implement domain restrictions for user authentication. This feature allows for precise control over which email domains are permitted for login and invitations within the organization.

Document image

  1. Authorized Domains: Admins can specify a list of approved email domains.
  2. Scope of Restriction:
    • Applies to all new user invitations
    • Affects all login attempts
    • Impacts Google Drive and Microsoft SharePoint authorizations
  3. Enforcement:
    • Users attempting to log in or accept invitations with non-approved email domains will be automatically rejected.
    • Google Drive or Microsoft SharePoint accounts associated with non-approved domains cannot be connected to the organization.
  4. Default Setting:
    • By default, the list of approved domains is empty.
    • When no domains are specified, there are no restrictions on email accounts used within the organization.
    • In this default state, administrators can invite users with any email domain.

When domain restrictions are in place, all user authentication processes—including invitations, logins, and third-party service connections—are validated against the approved domain list.