Roles & Permissions
Roles and permissions are a Cloud-only feature. Self-hosted Core deployments are single-tenant and do not include role-based access control. See Cloud vs Self-Hosted for details.
Control what team members can do in your organization with role-based access control. Roles and members are managed in the LinkForty dashboard.
Overview
LinkForty uses role-based access control (RBAC) to manage permissions. Each organization member has a role that determines their capabilities.
Available Roles:
- Owner - Full control (1 per organization)
- Admin - Manage settings and members
- Member - Create and manage links
- Viewer - Read-only access
Role Comparison
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Links | ||||
| View links | Yes | ✅ | Yes | ✅ |
| Create links | Yes | ✅ | Yes | No |
| Edit links | Yes | ✅ | Yes | No |
| Delete links | Yes | ✅ | Yes | No |
| Bulk operations | Yes | ✅ | Yes | No |
| Analytics | ||||
| View analytics | Yes | ✅ | Yes | ✅ |
| Export data | Yes | ✅ | Yes | No |
| Projects | ||||
| View projects | Yes | ✅ | Yes | ✅ |
| Create projects | Yes | ✅ | Yes | No |
| Edit projects | Yes | ✅ | Yes | No |
| Delete projects | Yes | ✅ | No | ❌ |
| Team | ||||
| View members | Yes | ✅ | Yes | ✅ |
| Invite members | Yes | ✅ | No | ❌ |
| Remove members | Yes | ✅ | No | ❌ |
| Change roles | Yes | ✅* | No | ❌ |
| Organization | ||||
| View settings | Yes | ✅ | Yes | ✅ |
| Edit settings | Yes | ✅ | No | ❌ |
| Manage billing | Yes | No | ❌ | No |
| Delete organization | Yes | No | ❌ | No |
| Webhooks | ||||
| View webhooks | Yes | ✅ | Yes | ✅ |
| Create webhooks | Yes | ✅ | No | ❌ |
| Edit webhooks | Yes | ✅ | No | ❌ |
| Delete webhooks | Yes | ✅ | No | ❌ |
| Custom Domains | ||||
| View domains | Yes | ✅ | Yes | ✅ |
| Add domains | Yes | ✅ | No | ❌ |
| Remove domains | Yes | ✅ | No | ❌ |
| API Keys | ||||
| View API keys | Yes | ✅ | Yes | No |
| Create API keys | Yes | ✅ | No | ❌ |
| Delete API keys | Yes | ✅ | No | ❌ |
* Admins can't promote members to Owner
Role Descriptions
Owner
The organization creator with full control.
Unique Abilities:
- Delete organization
- Manage billing and subscriptions
- Transfer ownership
- Cannot be removed (must transfer ownership first)
Limitations:
- Only 1 owner per organization
- Cannot leave without transferring ownership or deleting org
Use Case: Founder, company owner, billing administrator
Admin
Trusted team leads who manage the organization.
Can Do:
- Manage all settings
- Invite and remove members
- Create and manage resources
- Change member roles (except Owner)
Cannot Do:
- Delete organization
- Manage billing
- Promote to Owner
Use Case: Team leads, managers, senior staff
Member
Regular team members who work with links.
Can Do:
- Create and manage links
- View analytics
- Work with projects
- Export data
Cannot Do:
- Invite team members
- Change settings
- Manage billing
- Delete organization
Use Case: Marketing team, content creators, developers
Viewer
Read-only access for stakeholders.
Can Do:
- View links
- View analytics
- View projects
- View team members
Cannot Do:
- Create or edit anything
- Export data
- Invite members
Use Case: Clients, stakeholders, auditors, interns
Managing Roles
Viewing Member Roles
Go to Settings → Team to see all members with their roles and join dates.
Changing Member Roles
- Go to Settings → Team
- Open the member's role dropdown
- Select a new role and save
Requires: Owner or Admin role.
Restrictions:
- Admins cannot promote anyone to Owner
- The Owner role can't be reassigned this way — use Transfer Ownership
- You can't lower your own role
Transferring Ownership
Only the current owner can transfer ownership:
- Go to Settings → Organization
- Scroll to "Transfer Ownership"
- Select the new owner (must be an existing member)
- Click "Transfer" and confirm
When ownership transfers, the new owner gets the Owner role, the previous owner becomes an Admin, and billing moves to the new owner. This can't be undone except by transferring back.
Permission Enforcement
Permissions are enforced server-side on every request — a member can never perform an action their role disallows, regardless of what the UI shows. The dashboard also hides actions a member can't take (for example, only Owners see "Delete Organization"; only Owners and Admins see "Invite Member"), so the interface always matches each member's role.
Common Scenarios
1. Small Team (2-5 people)
Setup:
- 1 Owner (founder)
- 1-2 Admins (co-founders, leads)
- 1-2 Members (team)
Rationale: Everyone can work, admins handle team management.
2. Agency (10-25 people)
Setup:
- 1 Owner (agency owner)
- 2-3 Admins (department heads)
- 15-20 Members (account managers, creators)
- 2-5 Viewers (clients)
Rationale: Hierarchy with client visibility.
3. Large Organization (50+ people)
Setup:
- 1 Owner (IT administrator)
- 5-10 Admins (team leads)
- 40+ Members (employees)
- 10+ Viewers (stakeholders)
Rationale: Scaled management with many contributors.
4. Freelancer + Client
Setup:
- 1 Owner (freelancer)
- 1-2 Viewers (client stakeholders)
Rationale: Client can monitor without editing.
Best Practices
1. Principle of Least Privilege
Give minimum permissions needed:
Good:
- Client monitoring campaign → Viewer
- Marketing creating links → Member
- Team lead managing settings → Admin
Bad:
- Everyone is Admin
- Client has Member access
2. Regular Audits
Review your team in Settings → Team quarterly — remove inactive members and adjust roles to match current responsibilities.
3. Document Role Assignments
Keep a record of why roles were assigned:
# Team Roles
- [email protected] (Owner) - Founder, handles billing
- [email protected] (Admin) - Marketing lead
- [email protected] (Member) - Content creator
- [email protected] (Viewer) - Client stakeholder
4. Limit Admins
Don't make everyone admin:
Recommended:
- Owners: 1
- Admins: 10-20% of team
- Members: 70-80% of team
- Viewers: Case-by-case
Troubleshooting
"You don't have permission"
Cause: Your role doesn't allow this action
Fix:
- Check your role (profile menu)
- Contact admin/owner to elevate permissions
- Ask admin to perform action
Can't Change Own Role
Cause: Can't demote yourself
Fix: Ask another admin/owner to change your role
Can't Remove Owner
Cause: Owner can't be removed
Fix: Owner must transfer ownership first, then leave
Security
Access Control
- Role verification on every API call
- UI enforcement hides unauthorized actions
- Audit logging tracks role changes (Unlimited)
Recommendations
- Regularly review team members
- Remove inactive accounts
- Use Viewer role for read-only access
- Require 2FA for Admins and Owners (Unlimited)
Related Guides
- Organizations - Organization management
- Inviting Members - Add team members
- Projects - Organize with projects
Next Steps
- Review current team roles
- Assign appropriate permissions
- Document role decisions
- Set up regular permission audits