Team Roles and Permissions

BreachSpider uses a simple, two-role access model for team members, plus the account owner. Roles control what a team member can do inside your organization. They are separate from your subscription tier (which controls which features the whole organization can access).

The roles at a glance

!!! note "Two assignable roles" When you invite a team member you choose Admin or Viewer. Owner is not an assignable role — it belongs to whoever created the account and can only move by transferring the account.

What a Viewer can do (read-only)

Viewers get a clean, read-only version of the app. They can:

• View the Dashboard, CVE Search, and all CVE intelligence (CVSS, EPSS, BCS, KEV, SAGE analysis).
• View Environments, assets, and the findings/matches within them.
• View the Watchlist.
• View existing Reports, open them, and download/export them (PDF/CSV).
• Use SAGE chat to ask questions.
• Take Training courses and complete modules.
• View the Audit Log and manage their own profile and notification preferences.

Viewers cannot:

• Create, edit, or delete environments, assets, sites, or locations.
• Add to or remove from the Watchlist.
• Acknowledge, dismiss, or restore findings.
• Generate, share, or delete reports.
• Open, close, reopen, or resend tickets.
• Configure integrations, webhooks, alert rules, recipients, or API keys.
• Invite/remove team members or change billing.

How the read-only experience looks

For viewers, the interface is tidied up so there are no dead-end buttons:

• Write controls (create / edit / delete / generate / acknowledge buttons) are hidden, not just disabled.
• Admin-only areas — Integrations and MSSP — are removed from the navigation, and visiting their URLs directly redirects to the Dashboard.
• On the Account page, the Team and Plan & Billing tabs are hidden; Profile, notification preferences, and the Audit Log remain.

Admin vs Owner

Admins are intentionally given full owner-level credentials so they can run the platform without the owner being a bottleneck. The only things reserved for the owner are:

1. Deleting the account owner. Admins can invite and remove other members, but the owner account is protected and cannot be removed or demoted.
2. Permanently deleting the organization/account (GDPR erasure). Only the owner can do this.

Everything else — environments, assets, watchlist, findings, tickets, reports, integrations, webhooks, alert rules, API keys, team invitations, and billing — is available to admins exactly as it is to the owner.

Changing a member's role

1. Go to Account → Team (owner or admin only).
2. Invite a new member as Admin or Viewer, or change an existing member's role.
3. The account owner always appears as protected — they cannot be removed or demoted from this screen.

How enforcement works (and why it's safe)

Permissions are enforced on the server, not just hidden in the UI. Every write operation (anything that creates, updates, or deletes data) checks the caller's role first. If a viewer attempts a write — through the UI, a direct API call, an API key, or even by asking SAGE to perform an action — the request is rejected with:

HTTP 403 Forbidden
{
  "error": "viewer_role",
  "message": "Viewers have read-only access and cannot modify data. Contact your organization admin."
}

This means hiding the buttons is purely a cleaner experience — the security guarantee comes from the backend. A viewer's API key inherits the viewer role, so programmatic access is read-only too.

See also: Account API, Inviting your team.