Roles & Permissions
QuivaWorks provides five predefined roles to help you control access levels across your team. This guide details what each role can and cannot do.Role Overview
Root
1-2 per accountComplete control including account closure
Admin
Few per accountFull management except closure
Billing
Finance teamFinancial management only
Developer
Technical teamBuild and deploy resources
Monitor
StakeholdersView-only access
Detailed Role Permissions
Root
Recommendation: Limit Root role to 1-2 people (typically account owner and backup). Root users have unrestricted access to everything.
- ✅ Close/delete the account permanently
- ✅ Change root email address
- ✅ Rename account
- ✅ Modify mesh configuration
- ✅ Update company details
- ✅ Add and remove users
- ✅ Modify all user roles (including other Admins)
- ✅ Suspend and reactivate users
- ✅ View and issue recovery codes
- ✅ Terminate user sessions
- ✅ Delete users
- ✅ View billing information
- ✅ Change plans and pricing
- ✅ Update payment methods
- ✅ Access invoices
- ✅ Cancel subscriptions
- ✅ Create and manage agents
- ✅ Create and manage flows
- ✅ Create and manage MCP servers
- ✅ Access all storage and data
- ✅ Deploy and configure resources
- ✅ View monitoring and logs
- ✅ View all user sessions
- ✅ Manage API keys (own and others)
- ✅ Configure security settings
- ✅ Access audit logs (when available)
Admin
Recommendation: Assign to trusted team leads and IT staff who need full operational control but shouldn’t be able to close the account.
- ❌ Cannot close/delete the account
- ❌ Cannot change root email address
- ✅ Rename account
- ✅ Modify mesh configuration
- ✅ Update company details
- ✅ Add and remove users
- ✅ Modify user roles (except Root)
- ✅ Suspend and reactivate users
- ✅ View and issue recovery codes (except Root)
- ✅ Terminate user sessions
- ✅ Delete users
- ✅ View billing information
- ✅ Change plans and pricing
- ✅ Update payment methods
- ✅ Access invoices
- ✅ Cancel subscriptions
- ✅ Create and manage agents
- ✅ Create and manage flows
- ✅ Create and manage MCP servers
- ✅ Access all storage and data
- ✅ Deploy and configure resources
- ✅ View monitoring and logs
- ✅ View all user sessions
- ✅ Manage API keys (own and others)
- ✅ Configure security settings
- ✅ Access audit logs (when available)
- Cannot close the account
- Cannot change root email address
- Cannot view Root user’s recovery codes
Billing
Recommendation: Assign to finance team members who need to manage payments and subscriptions but don’t need technical access.
- ❌ Cannot close/delete account
- ❌ Cannot modify account settings
- ✅ View company/billing details only
- ❌ Cannot add or remove users
- ❌ Cannot modify user roles
- ❌ Cannot access user management
- ✅ View billing information
- ✅ Change plans and pricing
- ✅ Update payment methods
- ✅ Access and download invoices
- ✅ View billing history
- ✅ Cancel subscriptions
- ✅ Update tax information
- ❌ Cannot create or manage agents
- ❌ Cannot create or manage flows
- ❌ Cannot create or manage MCP servers
- ❌ Cannot access storage or data
- ❌ Cannot deploy resources
- ❌ Cannot view monitoring or logs
- ❌ Cannot view user sessions
- ❌ Cannot manage API keys
- ❌ Cannot configure security settings
- CFO or finance director
- Accounting team member
- External accountant with limited access
Developer
Recommendation: Assign to technical team members who build and deploy agents, flows, and integrations.
- ❌ Cannot close/delete account
- ❌ Cannot modify account settings
- ❌ Cannot access account management
- ❌ Cannot add or remove users
- ❌ Cannot modify user roles
- ❌ Cannot access user management
- ❌ Cannot view billing information
- ❌ Cannot modify plans or payment
- ❌ Cannot access invoices
- ✅ Create and manage agents
- ✅ Create and manage flows
- ✅ Create and manage MCP servers
- ✅ Access storage and data
- ✅ Deploy and configure resources
- ✅ View monitoring and logs for their resources
- ✅ Access marketplace and install items
- ✅ View own sessions
- ✅ Manage own API keys
- ✅ Configure own MFA settings
- ❌ Cannot view other users’ sessions
- ❌ Cannot manage others’ API keys
- Software engineers
- DevOps team members
- Integration developers
- Automation specialists
Monitor
Recommendation: Assign to stakeholders who need visibility into operations without the ability to make changes.
- ❌ Cannot access account management
- ❌ View-only access to account details
- ❌ Cannot access user management
- ❌ Cannot access billing
- ❌ Cannot create resources
- ❌ Cannot modify existing resources
- ❌ Cannot delete resources
- ✅ View agents and configurations
- ✅ View flows and workflows
- ✅ View MCP servers
- ✅ View monitoring dashboards
- ✅ View logs and metrics
- ✅ View own sessions
- ❌ Cannot create API keys
- ✅ Configure own MFA settings
- Product managers
- Business analysts
- External consultants
- Auditors
- Executive stakeholders
Permission Matrix
Quick reference for common actions:| Action | Root | Admin | Billing | Developer | Monitor |
|---|---|---|---|---|---|
| Close account | ✅ | ❌ | ❌ | ❌ | ❌ |
| Add users | ✅ | ✅ | ❌ | ❌ | ❌ |
| Modify roles | ✅ | ✅* | ❌ | ❌ | ❌ |
| View billing | ✅ | ✅ | ✅ | ❌ | ❌ |
| Change plans | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create agents | ✅ | ✅ | ❌ | ✅ | ❌ |
| Deploy flows | ✅ | ✅ | ❌ | ✅ | ❌ |
| View monitoring | ✅ | ✅ | ❌ | ✅ | ✅ |
| Manage API keys | ✅ | ✅ | ❌ | Own only | ❌ |
| View sessions | ✅ | ✅ | ❌ | Own only | Own only |
Best Practices
Applying Least Privilege
Start with Minimum Access
Start with Minimum Access
Always assign the least privileged role that allows someone to do their job:
- New team member needs to view dashboards? Start with Monitor
- Developer needs to build agents? Assign Developer (not Admin)
- Finance needs to manage billing? Assign Billing (not Admin)
Limit Root and Admin Assignments
Limit Root and Admin Assignments
Keep these powerful roles restricted:
- Root: 1-2 people maximum (owner + backup)
- Admin: Only senior team leads and IT staff
- Billing: Finance team only
Regular Role Audits
Regular Role Audits
Review user roles quarterly:
- Does each person still need their current access level?
- Have job responsibilities changed?
- Are there unused accounts to remove?
- Should anyone be downgraded to a less privileged role?
Temporary Elevated Access
Temporary Elevated Access
Need to grant temporary elevated access?
- Upgrade the user’s role
- Set a calendar reminder to downgrade
- Downgrade as soon as the task is complete
- Document why access was needed
Role Assignment Scenarios
- Small Team (2-5 people)
- Growing Team (6-20 people)
- Large Organization (20+ people)
Recommended structure:
- 1 Root (founder/owner)
- 1-2 Developers (technical team)
- 0-1 Admin (if needed for user management)
Resource Sharing
All resources (agents, flows, MCP servers) are shared across your entire account. Role permissions determine what users can do with these resources, not whether they can see them.
- Root/Admin: Full access to all resources regardless of who created them
- Developer: Can create, modify, and delete resources (including those created by others)
- Monitor: Can view all resources but cannot modify anything
- Billing: Cannot access resources at all
Changing Roles
How to Update a User’s Role
Only Root and Admin users can change roles:1
Navigate to Users
Go to Account Management → Users
2
Select User
Click on the user’s email address
3
Change Role
Select the new role from the dropdown
4
Confirm
Click “Update Role”
Restrictions
- You cannot change your own role
- Admin users cannot change Root user’s role
- Admin users cannot assign the Root role to others
- Only Root users can create or modify other Root users
Security Considerations
Require MFA for Elevated Roles
Critical: All Root and Admin users must enable MFARecommended: All Developer users should enable MFASet up MFA →
Monitor Privileged Actions
Regularly review actions taken by Root and Admin usersWhen available, use audit logs to track administrative changes
Offboarding Process
When users leave:
- Suspend account immediately
- Terminate all sessions
- Delete API keys
- Remove user within 24 hours
Secure Recovery Codes
Root users: Store recovery codes in a secure, accessible locationCannot be recovered by Admins if lost
Frequently Asked Questions
Can I create custom roles?
Can I create custom roles?
No, QuivaWorks provides five predefined roles. These roles cover most use cases. For Enterprise customers with specific needs, contact us about custom permissions.
How many Root users can I have?
How many Root users can I have?
Technically unlimited, but we strongly recommend limiting to 1-2 people (account owner and one backup). The Root role has unrestricted access including account deletion.
Can Developers see billing information?
Can Developers see billing information?
No, only Root, Admin, and Billing roles can access billing information. Developers focus on technical resources only.
What happens if I'm the only Root user and lose access?
What happens if I'm the only Root user and lose access?
This is why we recommend having a backup Root user. If you’re the only Root and lose access (lost MFA device, forgotten password, no recovery codes), recovery is extremely difficult. Always maintain:
- Secure recovery codes
- At least one backup Root user
- Working MFA device
Can Monitor users execute flows?
Can Monitor users execute flows?
No, Monitor role is strictly view-only. They can see flows and their configurations but cannot execute them, modify them, or trigger them.
Why can't I see billing information?
Why can't I see billing information?
Your role doesn’t have billing access. Only Root, Admin, and Billing roles can view billing. Ask an Admin to either give you information or change your role.