Roles and permissions
Shield Control uses four roles, designed so security work, audit work, and administration can be separated cleanly.
The four roles
- Admin — everything: organization settings, billing, users, policies, audit.
- Security — writes policies and works Discovery and the audit log, without touching org administration.
- Auditor — read access plus exports. Made for compliance reviews: sees everything, changes nothing.
- Member — self-service only: their own profile and consent settings.
A role is assigned when you invite someone; people who join automatically via your verified domain start as Member, and whoever created the organization is its first Admin.
Changing a role
- Open Users & Roles.
- In the member's row menu, select Edit role.
- Pick the new role and save.
The row menu is also where Remove member lives.
Note: the number of admin seats is plan-dependent (Starter 1, Business 5, Enterprise unlimited). If a role change would exceed the limit, Shield tells you instead of failing silently.
Was this article helpful?
Related articles
Invite your team
Invite members by email from Users & Roles, track open invitations, and handle join requests from your verified domain.
Read articleDomain verification and join modes
Verify your company domain via DNS TXT record or email, then choose how sign-ups from that domain join: automatically, by approval, or invite-only.
Read articlePrivacy and data handling
What admins can see about employees' AI usage, the privacy controls that govern it, and how long audit data is retained.
Read articleStill stuck?
Send us the details — we answer within one business day.