Manage Team Members (Mondoo Users)
Invite team members and assign roles to control access to Mondoo organizations and spaces.
You invite team members and assign them roles that control what they can see and do. Membership is scoped to either an organization (access to every space in it, including spaces created later) or a single space.
How roles work
Mondoo's roles come in three groups:
- Base roles grant broad access. Most people get exactly one (Owner, Editor, or Viewer).
- Specialized roles stack on top of a base role (usually Viewer) for fine-grained control. You can assign as many as you need to one person.
- Service account roles apply to non-human identities like agents and CI pipelines. You assign them through service accounts, not through team member invites.
Every role is scoped to an organization or to a single space.
Base roles
These are the primary roles you choose when inviting a team member.
| Role | Scope | What they can do |
|---|---|---|
| Owner | Organization, space | Full administrative control. Owners can create and delete organizations and spaces, manage all team members, configure SSO, SCIM, and WIF, manage billing, and perform every action available to Editor and Viewer. |
| Editor | Organization, space | Day-to-day administrator. Editors manage team members, integrations, policies, query packs, compliance frameworks, exceptions, cases, dashboards, agents, and service accounts. They can update existing organizations and spaces but cannot create or delete them, and cannot manage billing. |
| Viewer | Organization, space | Read-only access to all content in the organization or space, including assets, findings, vulnerabilities, scores, policies, compliance frameworks, exceptions, cases, dashboards, reports, workspaces, and integrations. Viewers cannot make changes. |
Every team member also implicitly receives the Org Member role on their organization and the Space Member role on each space they can access. These baseline roles let users see that an organization or space exists and list its workspaces, assigned policies, and risk factors. You don't assign them directly.
Specialized roles
Combine these with the Viewer base role to grant targeted permissions without giving the team member full Editor access. Because permissions are the union of every role a person holds, you can compose a near-Owner identity by stacking Viewer with several specialized roles, deliberately leaving out the one capability you don't want to delegate.
Identity and access
| Role | Scope | What they can do |
|---|---|---|
| IAM Manager | Organization, space, platform | Assign and remove memberships (roles) for users at space, organization, and platform scope, and manage WIF (workload identity federation) auth bindings. This is the most powerful delegation role: a holder can grant any customer-facing role and can therefore self-escalate, so it sits above Owner in the role hierarchy. Only a Platform Admin or an existing IAM Manager can grant it. Assign it sparingly. |
Organizations and spaces
| Role | Scope | What they can do |
|---|---|---|
| Organization Manager | Organization | Create, update, and delete organizations. |
| Space Manager | Space | Create, update, deactivate, reactivate, and delete spaces, and set resource contacts. |
Teams
| Role | Scope | What they can do |
|---|---|---|
| Team Manager | Organization, space | Create, update, and delete teams, add and remove team members, and view team membership. |
Policies and query packs
| Role | Scope | What they can do |
|---|---|---|
| Policy Editor | Space | Edit and validate policy bundles and read the policy registry. Cannot assign or unassign policies. |
| Policy Manager | Space | Full policy lifecycle: edit, validate, delete, and assign or unassign policies; set policy properties; read aggregate scores and exceptions tied to those policies. |
| Query Pack Editor | Space | Edit and validate query pack bundles and browse the query and resource registry. |
| Query Pack Manager | Space | Manage query pack bundles and browse the query and resource registry. |
Exceptions
| Role | Scope | What they can do |
|---|---|---|
| Exception Requester | Space | File exception requests on findings and extend existing exceptions. Cannot approve them. |
| Exception Reviewer | Space | Approve or deny exception requests submitted by others and extend exception review periods. |
| Exception Manager | Space | Request, review, and delete security findings exceptions. |
Cases and tickets
| Role | Scope | What they can do |
|---|---|---|
| Ticket Creator | Space | Create and update cases and push them to connected ticketing integrations like Jira. Cannot close or delete cases. |
| Ticket Manager | Space | Full case lifecycle: create, update, close, delete, and process case events, plus create, update, and close tickets in connected ticketing integrations. |
Integrations and SLAs
| Role | Scope | What they can do |
|---|---|---|
| Integrations Manager | Space | Create, update, and delete integrations; get integration tokens; trigger actions; run discovery; suppress messages; and manage integration settings. |
| SLA Manager | Space | Read and update the security model used to configure SLAs, plus read policies, compliance frameworks, findings, and aggregate scores so SLA performance can be monitored. |
Assets
| Role | Scope | What they can do |
|---|---|---|
| Asset Manager | Space | Create and delete assets and annotations, delete CI/CD projects, and manage asset routing rules and tables. |
Agents
| Role | Scope | What they can do |
|---|---|---|
| Agent Manager | Space | Create, update, and delete managed agents. Read-only agent access is already covered by Viewer. |
Workspaces
| Role | Scope | What they can do |
|---|---|---|
| Workspace Manager | Space | Create, update, and delete workspaces. |
Workflows
| Role | Scope | What they can do |
|---|---|---|
| Workflow Manager | Space | Create, update, delete, and cancel workflows and scheduled workflows, and execute workflow-service actions. |
Compliance and risk
| Role | Scope | What they can do |
|---|---|---|
| Compliance Framework Manager | Space | Manage and delete compliance frameworks. |
| Risk Factor Manager | Space | Create and modify risk factors. |
Vulnerability data
| Role | Scope | What they can do |
|---|---|---|
| Vulnerability Exchange Manager | Space | Upload, edit, and delete VEX documents, upload FEX findings, and close findings. |
Auditing
| Role | Scope | What they can do |
|---|---|---|
| Audit Log Viewer | Organization, space | View the audit log. |
Pipelines and exports
| Role | Scope | What they can do |
|---|---|---|
| Security Pipeline User | Space | Open pull requests through a security pipeline integration, such as GitOps remediation PRs. |
| Export User | Space | Generate and delete documents (report exports). |
Billing
| Role | Scope | What they can do |
|---|---|---|
| Billing Manager | Organization | Manage the billing account and subscription, including opening billing sessions and updating subscription settings. |
Analytics and dashboards
| Role | Scope | What they can do |
|---|---|---|
| Policy Analytics Dashboard Viewer | Organization, space | Read-only access to the policy analytics view, including the list of policies for analytics, the workspace, assets and their assigned policies, and resource contacts. |
| BI Viewer | Space | Read-only access to BI dashboards, dashboard versions, scheduled exports, and the BI query proxy. |
Agent credentials
Delegate management of the credentials agents and automation use to authenticate, without granting full Editor access.
| Role | Scope | What they can do |
|---|---|---|
| API Token Creator | Space | Generate, update, and list API tokens. Cannot delete them. |
| API Token Manager | Space | Full API token lifecycle: generate, update, list, and delete API tokens. |
| Service Account Creator | Space | Create, update, list, and view service accounts; manage service account memberships; and read the public key. Cannot delete service accounts. |
| Service Account Manager | Space | Full service account lifecycle: everything the Service Account Creator can do, plus delete service accounts. |
| Registration Token Creator | Space | Generate, list, and verify registration tokens. Cannot revoke them. |
| Registration Token Manager | Space | Full registration token lifecycle: generate, list, verify, and revoke registration tokens. |
Service account roles
These roles apply to non-human identities. Assign them when you create a service account.
| Role | Scope | What it allows |
|---|---|---|
| Agent | Space | Used by cnspec agents. Allows registration, telemetry and log reporting, asset sync, fetching assigned policies and bundles, storing scan results, uploading SBOMs, and getting scan parameters. |
| Gateway Agent | Space | Used by gateway-mode agents that proxy other agents. Adds registration-token generation and integration query capabilities on top of the Agent role. |
| Scan Job Runner | Space | Minimal role for automated scan jobs: sync assets, resolve and run policy jobs, store results, get upload URLs, and report integration status. |
| Export Runner | Space | Used by export integrations that pull data out of Mondoo. Provides read access to assets, policies, frameworks, vulnerabilities, scores, findings, and reports, plus document upload and status reporting. |
| VEX Importer | Space | Used by tools that bulk upload VEX, FEX, and SBOM data and close matching findings. |
| Deployment Manager | Space | Used by deployment automation. Creates, updates, and deletes integrations; gets integration tokens; triggers actions; and reads space and integration settings. |
| SCIM Identity Manager | Organization | Used by SCIM provisioning clients such as Okta and Microsoft Entra ID. Full CRUD on SCIM users and groups. |
| Platform Admin | Organization, space | Used by automated Mondoo Platform tooling and operators that need full system control. Holds broad organization and space CRUD, member and team management, integrations, policies, frameworks, billing, dashboards, and SCIM mapping. |
Invite a team member
The procedure is the same whether you're inviting someone to an organization or to a single space. The scope is set by where you start.
-
Navigate to the organization or space you want to add the member to.
-
In the side navigation bar, select Settings, then the Members tab.
-
Select INVITE MEMBER.
-
Enter the new member's email and pick a role.
-
Select ADD.
The new member gets an email invitation. The roles you assigned apply as soon as they accept.
Resend or revoke an invitation
-
Navigate to the organization or space in which you want to resend or revoke an invitation.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
If the space or organization has any pending invitations, a Pending Invitations section is shown.
-
To resend an invitation, select the circular arrow icon beside the invitation's status.
-
To revoke an invitation, select the delete icon beside the invitation's status.
-
Edit a team member's role
-
Navigate to the organization or space in which you want to edit a team member's access.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
Select the team member you want to edit.
-
Select Add Roles to add new roles to the team member and then select Apply.
Delete a team member
-
Navigate to the organization or space from which you want to remove a team member's access.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
Select the team member you want to remove.
-
Select Remove Member and then confirm the removal.
Overview
Control team member permissions, SSO integration, and non-human user access for your Mondoo organizations and spaces.
Manage Access with OIDC Groups
Automatically assign users to Mondoo teams based on identity provider group membership using OIDC group claims. An alternative to SCIM that requires no provisioning infrastructure.