Skip to main content

Roles & Permissions

Conto uses role-based access control (RBAC) to manage what each team member can do within an organization.

Roles

RoleDescription
OwnerFull access. Can manage billing, settings, encryption keys, and all resources. An organization can have multiple Owners; the last Owner cannot remove themselves without transferring ownership first.
AdminCan manage agents, wallets, policies, API keys, and team members. Cannot change billing or encryption.
ManagerCan create and update agents, manage counterparties, approve transactions, and manage alerts. Cannot create wallets or policies.
ViewerRead-only access to agents, wallets, policies, transactions, counterparties, alerts, and analytics.
MemberLimited access. Can view wallets but cannot modify anything.

Permission Matrix

PermissionOwnerAdminManagerViewerMember
Agents
View agentsYesYesYesYes
Create agentsYesYesYes
Update agentsYesYesYes
Delete agentsYesYes
Suspend/freeze agentsYesYesYes
Wallets
View walletsYesYesYesYesYes
Create walletsYesYes
Fund walletsYesYes
Withdraw from walletsYes
Policies
View policiesYesYesYesYes
Create/edit policiesYesYes
Transactions
View transactionsYesYesYesYes
Execute transactionsYesYesYes
Approve transactionsYesYesYes
Counterparties
View counterpartiesYesYesYesYes
Manage counterpartiesYesYesYes
Alerts
View alertsYesYesYesYes
Acknowledge/resolveYesYesYes
Analytics
View analyticsYesYesYesYes
Export dataYesYes
Settings
View settingsYesYes
Modify settingsYes
Team
View membersYesYesYesYes
Invite/remove membersYesYes
API Keys
View API keysYesYes
Create/revoke API keysYes

Managing Members

Invite a Member

Go to Settings > Team > Invite Member. Enter the email and select a role.

Change a Role

Changing roles requires team management permission (Owner or Admin), and role changes are enforced by hierarchy: you can only change or remove members whose role is strictly below your own. An Admin can manage Managers, Members, and Viewers, but not another Admin. Owners can manage anyone, including other Owners, and only an Owner can promote a member to Owner. The last Owner cannot be demoted or removed without transferring ownership first.

API Key Scopes

Organization API keys use scopes that map to these permissions. When creating a key, you can select a preset or pick individual scopes:
PresetScopes included
Read Only*:read scopes only
StandardRead + write for agents, wallets, policies, transactions, counterparties
AdminAll scopes (Owner-only)
See Admin SDK > Scopes for the full scope list.