Team Roles & Permissions
Set up the right level of access for every person on your team so they can do their job without exposing sensitive settings.
Overview of Roles
MASK uses a role-based access control system. Every member of a workspace is assigned exactly one role that determines what they can see and do. There are six roles, each designed for a specific function within a team:
- Owner — Full control over the workspace, including billing and the ability to delete the workspace entirely.
- Admin — Nearly full control, including managing members and settings, but cannot delete the workspace or transfer ownership.
- Editor — Can create, edit, and delete links, bio pages, QR codes, and campaigns, but cannot change workspace settings or manage members.
- Analyst — Read-only access to all content and full access to analytics. Cannot create or modify links or settings.
- Billing — Access to billing settings, invoices, and plan management. Cannot see or modify links, pages, or analytics.
- Developer — Access to API keys, webhooks, and integration settings. Can also create and manage links programmatically.
The Six Roles in Detail
Owner: Every workspace has exactly one Owner. The Owner is the person who created the workspace and has unrestricted access to every feature, including billing, member management, domain configuration, and the ability to delete the workspace. Ownership can be transferred to another Admin from the workspace settings page, but the transfer requires email confirmation from both parties.
Admin: Admins are trusted team leads who can manage day-to-day operations. They can invite and remove members, change roles (except promoting someone to Owner), configure domains, and manage all content. The only things an Admin cannot do are delete the workspace, transfer ownership, or manage billing. Assign this role to department heads or project managers who need operational control.
Editor: Editors are the content creators of the workspace. They have full create-read-update-delete access to links, bio pages, QR codes, and campaigns. They can view analytics for the content they work with. They cannot access workspace settings, manage members, or view billing information. This is the right role for marketing team members, social media managers, and content creators.
Analyst: Analysts can view everything — links, bio pages, QR codes, campaigns, and all analytics data — but they cannot create, edit, or delete anything. This role is ideal for stakeholders who need to monitor performance without the risk of accidentally modifying a live link. Data analysts, executives reviewing reports, and external consultants are common candidates for this role.
Billing: The Billing role provides access exclusively to the billing and subscription section of the workspace. Members with this role can view invoices, update payment methods, change the subscription plan, and download receipts. They cannot see links, analytics, or any other workspace content. Assign this role to finance team members or office managers who handle payments.
Developer: Developers have access to API keys, webhook configuration, and integration settings. They can create and manage links through the API and view technical logs. They do not have access to billing or member management. This role is designed for engineers who are building integrations or automations on top of MASK.
Permission Matrix
The table below summarizes which actions each role can perform. Use it as a quick reference when deciding which role to assign to a new team member.
| Action | Owner | Admin | Editor | Analyst | Billing | Dev |
|---|---|---|---|---|---|---|
| Create & edit links | Yes | Yes | Yes | — | — | Yes |
| Delete links | Yes | Yes | Yes | — | — | — |
| View analytics | Yes | Yes | Yes | Yes | — | Yes |
| Manage bio pages | Yes | Yes | Yes | — | — | — |
| Manage QR codes | Yes | Yes | Yes | — | — | Yes |
| Manage campaigns | Yes | Yes | Yes | — | — | — |
| Invite members | Yes | Yes | — | — | — | — |
| Remove members | Yes | Yes | — | — | — | — |
| Change roles | Yes | Yes | — | — | — | — |
| Configure domains | Yes | Yes | — | — | — | — |
| Workspace settings | Yes | Yes | — | — | — | — |
| Manage billing | Yes | — | — | — | Yes | — |
| API keys & webhooks | Yes | Yes | — | — | — | Yes |
| Delete workspace | Yes | — | — | — | — | — |
| Transfer ownership | Yes | — | — | — | — | — |
Inviting Team Members
To invite someone to your workspace, navigate to Settings → Members and click "Invite Member." Enter their email address and select the role you want to assign. MASK will send an invitation email with a link to join the workspace.
If the person already has a MASK account, they will see the workspace in their dashboard immediately after accepting the invitation. If they do not have an account, the invitation link will guide them through account creation first and then add them to the workspace automatically.
Pending invitations are listed on the Members page with an "Invited" status badge. You can resend or revoke an invitation at any time before it is accepted. Invitations expire after 7 days, after which you will need to send a new one.
Only Owners and Admins can invite new members. There is no limit to the number of members you can add, but your plan may impose a cap on the number of active seats — check Settings → Billing for your current limit.
Managing Access
Changing a role: Owners and Admins can change any member's role from the Members settings page. Click the role badge next to the member's name, select the new role, and confirm. The change takes effect immediately — the member's permissions are updated on their next page load.
Removing a member: To remove someone from the workspace, click the three-dot menu next to their name and select "Remove." The member will immediately lose access to all workspace content. Any links, bio pages, or QR codes they created remain in the workspace — content is never deleted when a member is removed.
Leaving a workspace: Any member can leave a workspace voluntarily from their account settings. The only exception is the Owner — an Owner must transfer ownership to another Admin before they can leave.
Audit log: Owners and Admins can view an audit log of all member-related actions, including invitations sent, roles changed, and members removed. This is available under Settings → Activity and is useful for reviewing access changes during security audits.
Best Practices for Teams
Follow the principle of least privilege: Assign the most restrictive role that still allows a person to do their job. If someone only needs to view reports, make them an Analyst rather than an Editor. If they only handle payments, use the Billing role instead of Admin.
Limit the number of Owners and Admins: These roles have the broadest access. In most organizations, one Owner and one or two Admins is sufficient. Having too many high-privilege accounts increases the risk of accidental configuration changes.
Review membership regularly: When someone leaves your company or moves to a different team, remove them from the workspace promptly. Stale accounts with active access are a common security gap.
Use separate workspaces for separate projects: If you manage multiple brands or clients, create a dedicated workspace for each one rather than granting everyone access to a single workspace. This keeps data isolated and makes it easier to manage who sees what.
Communicate role expectations: When you invite a new member, let them know what their role allows and what it restricts. This avoids confusion when they try to access a feature that is outside their permissions.