Roles & Permissions
Conto uses role-based access control (RBAC) to manage what each team member can do within an organization.Roles
| Role | Description |
|---|---|
| Owner | Full access. Can manage billing, settings, encryption keys, and all resources. An organization can have multiple Owners; the last Owner cannot remove themselves without transferring ownership first. |
| Admin | Can manage agents, wallets, policies, API keys, and team members. Cannot change billing or encryption. |
| Manager | Can create and update agents, manage counterparties, approve transactions, and manage alerts. Cannot create wallets or policies. |
| Viewer | Read-only access to agents, wallets, policies, transactions, counterparties, alerts, and analytics. |
| Member | Limited access. Can view wallets but cannot modify anything. |
Permission Matrix
| Permission | Owner | Admin | Manager | Viewer | Member |
|---|---|---|---|---|---|
| Agents | |||||
| View agents | Yes | Yes | Yes | Yes | — |
| Create agents | Yes | Yes | Yes | — | — |
| Update agents | Yes | Yes | Yes | — | — |
| Delete agents | Yes | Yes | — | — | — |
| Suspend/freeze agents | Yes | Yes | Yes | — | — |
| Wallets | |||||
| View wallets | Yes | Yes | Yes | Yes | Yes |
| Create wallets | Yes | Yes | — | — | — |
| Fund wallets | Yes | Yes | — | — | — |
| Withdraw from wallets | Yes | — | — | — | — |
| Policies | |||||
| View policies | Yes | Yes | Yes | Yes | — |
| Create/edit policies | Yes | Yes | — | — | — |
| Transactions | |||||
| View transactions | Yes | Yes | Yes | Yes | — |
| Execute transactions | Yes | Yes | Yes | — | — |
| Approve transactions | Yes | Yes | Yes | — | — |
| Counterparties | |||||
| View counterparties | Yes | Yes | Yes | Yes | — |
| Manage counterparties | Yes | Yes | Yes | — | — |
| Alerts | |||||
| View alerts | Yes | Yes | Yes | Yes | — |
| Acknowledge/resolve | Yes | Yes | Yes | — | — |
| Analytics | |||||
| View analytics | Yes | Yes | Yes | Yes | — |
| Export data | Yes | Yes | — | — | — |
| Settings | |||||
| View settings | Yes | Yes | — | — | — |
| Modify settings | Yes | — | — | — | — |
| Team | |||||
| View members | Yes | Yes | Yes | Yes | — |
| Invite/remove members | Yes | Yes | — | — | — |
| API Keys | |||||
| View API keys | Yes | Yes | — | — | — |
| Create/revoke API keys | Yes | — | — | — | — |
Managing Members
Invite a Member
Go to Settings > Team > Invite Member. Enter the email and select a role.Change a Role
Changing roles requires team management permission (Owner or Admin), and role changes are enforced by hierarchy: you can only change or remove members whose role is strictly below your own. An Admin can manage Managers, Members, and Viewers, but not another Admin. Owners can manage anyone, including other Owners, and only an Owner can promote a member to Owner. The last Owner cannot be demoted or removed without transferring ownership first.API Key Scopes
Organization API keys use scopes that map to these permissions. When creating a key, you can select a preset or pick individual scopes:| Preset | Scopes included |
|---|---|
| Read Only | *:read scopes only |
| Standard | Read + write for agents, wallets, policies, transactions, counterparties |
| Admin | All scopes (Owner-only) |