Roles & Permissions
GuardMDM ships with three built-in roles that control what a user can see and do within an organization.
Role Overview
| Role | Access Level | Key Capabilities |
|---|---|---|
| Owner | Full | Manage billing, delete the organization, invite/remove users, change roles, all Admin capabilities |
| Admin | Write | Manage devices, groups, blueprints, invite users, edit organization settings |
| Read Only | View | Browse devices, groups, blueprints, and settings — no create, edit, or delete |
Owner
The owner has unrestricted access. Only an owner can:
- Change another user's role (including promoting someone to Owner)
- Delete the organization
- Manage billing and subscription
- Remove any user (except other Owners and Superadmins)
There must always be at least one Owner in the organization.
Admin
Admins handle day-to-day management:
- Enroll, unenroll, and wipe devices
- Create and edit device groups
- Create and edit blueprints
- Invite new users to the organization
- Edit organization display name and settings
Admins cannot manage billing, delete the organization, or change user roles.
Read Only
Read Only users can view everything but cannot modify anything. This role is useful for auditors, support staff who only need to check device status, or stakeholders who want visibility without risk of accidental changes.
Changing a User's Role
- Go to Settings > People.
- Find the user in the list.
- Click the role dropdown next to their name.
- Select the new role.
- The change takes effect immediately — no confirmation dialog is shown.
Only users with the Owner role can change roles.
Role Protection
Certain users are protected from deletion and role demotion:
- Owner: An Owner cannot be removed or demoted by another Owner. To transfer ownership, the current Owner must promote another user to Owner first, then the original Owner can be removed.
- Superadmin: A system-level Superadmin (visible in the People list) cannot be deleted or have their role changed by any organization-level user. Superadmins are managed outside the organization.
Attempting to delete or demote a protected user will show an error message.
How Roles Affect the UI
The UI adapts to the user's role:
- Read Only users see all pages but edit/delete buttons, action menus, and inline editing controls are hidden. Forms are rendered as read-only views.
- Admin users see all controls except billing and user management actions.
- Owner users see everything.
This role-based UI hiding is enforced on the server side as well — the API rejects write requests from users without the appropriate role, so client-side hiding is a convenience, not a security boundary.
