Skip to content
  • There are no suggestions because the search field is empty.

Permission Management Roles

Understanding User Permissions and Roles in EasyDMARC

Every EasyDMARC account is an Organisation, and each Organisation has a single Organisation Owner with ultimate authority over the account. Within an Organisation, access is granted through roles at three levels — Organisation, Workspace and Domain — so you can give each person exactly the access they need.

Actions and access

  • View — read-only: see data and settings without changing them.
  • Manage — Create, Update and Delete (Manage always includes View).

When you build a custom role you can grant these actions individually (full CRUD) for fine-grained control — for example View + Create without Delete.

The three access levels

Organisation level Account-wide settings in the Admin Console: User Management, Roles & Permissions, Workspace Management, Plans & Billing, Integrations, Public API, Webhook Management, Single Sign-On (SSO), IP Safelisting, Audit Logs and Alerts; Labels; and the TouchPoint product (Lead Discovery, available to MSPs).

Workspace level Actions that belong to a whole Workspace: adding and managing the Workspace's domains, managing the Workspace's users, the Sender Insights API, and the Sender Insights tests (Email Investigation, Email Verification, Inbox Placement). A Workspace role also covers all of the Domain-level data below, for every domain in the Workspace.

Domain level The per-domain data and tools, for the specific domains you choose: DNS Manager, DMARC (Aggregate, Geolocation, Failure, TLS and BIMI reports, plus Managed DMARC, Managed DKIM, EasySPF and Managed BIMI), Monitoring (Uptime/SSL/VMC), Threat Intelligence, Reporting, Dashboards, Alert Logs, the Sender Insights data (Engagement/Event Log, Blocklist Monitoring, Google Postmaster, Microsoft SNDS), the domain's users, and viewing or editing the domains themselves.

Roles

Organisation roles

  • Organisation Owner — Full, unrestricted access to all features, settings and resources. The only role that can transfer Organisation ownership. There is one Owner per account.
  • Organisation Admin — Can manage all resources, features and settings across the Organisation. Cannot transfer ownership.
  • TouchPoint Admin — Can manage the TouchPoint product (available to MSPs), with no access to other settings or data.
  • TouchPoint Viewer — Read-only access to the TouchPoint product (MSPs only).

Workspace roles (assigned to one or more specific Workspaces)

  • Workspace Admin — Full control of all features and all domains in the Workspace, including inviting users to that Workspace and managing its domains.
  • Workspace Viewer — Read-only access to all features and all domains in the Workspace.

Domain roles (assigned to one or more specific domains)

  • Domain Admin — View and manage the data of the selected domains across the domain-based features.
  • Domain Viewer — Read-only access to the data of the selected domains.

How access is assigned

When you invite a user or edit their access, you pick a role and — for Workspace and Domain roles — choose which Workspace(s) or domain(s) it applies to. Organisation-level roles apply across the whole account and need no resource selection. For Workspace and Domain roles you'll navigate from the organisation into its workspaces, and into a workspace to its domains, with search to find the ones you need.

Access inherits downward. Access granted higher up flows down automatically: an Organisation Admin is admin of every Workspace and domain, and a Workspace role covers all domains in that Workspace.

Combining roles. A user can hold several roles at once — their permissions are combined, and where roles overlap the highest level of access applies. This lets you mix breadth and depth, for example Workspace Viewer (read everything in a Workspace) plus Domain Admin (manage one domain in it). A role that's already fully covered by a broader one (e.g. a Domain role on top of Workspace Admin) simply adds nothing.

Alerting

A role's alerting reach is derived from its domain access:

  • Access to all domains — see and manage all alerts, and send notifications to any channel (Teams, Slack, webhook or email).
  • Access to selected domains — see and manage alerts only for those domains, with email as the only channel (more channels may be added later).
  • Alert Logs follow the same rule — full access shows all logs; selected-domain access shows logs for those domains only.

Alerts are configured per domain, so a user only ever sees the domains they have access to.

Managing user invitations

Only Administrators can invite new users. The following rules apply:

  • Batch limit — Up to 5 users can be invited per batch.
  • Validity period — Invitations expire after 48 hours.
  • Pending status — Invited users appear as "Pending" on the User Management page until they accept.
  • Expiration — If not accepted within 48 hours, the invitation expires and the pending entry is removed.

Custom roles

Administrators can create custom roles. The builder shows every permission in one searchable list, grouped under Organisation, Workspace and Domain headings; set each feature to View or Manage / Create, Update and Delete (or leave it None). A single role can mix permissions from any of the three groups.

When you assign the role you choose the resource it applies to: Organisation permissions apply across the whole account, Workspace permissions to the workspace(s) you pick (and all their domains), and Domain permissions to the domains you pick.

Managing user invitations

Only Administrators can invite new users. The following rules apply:

  • Batch limit — Up to 5 users can be invited per batch.
  • Validity period — Invitations expire after 48 hours.
  • Pending status — Invited users appear as "Pending" on the User Management page until they accept.
  • Expiration — If not accepted within 48 hours, the invitation expires and the pending entry is removed.