Manage Team Members (Mondoo Users)
Invite team members and assign roles to control access to Mondoo organizations and spaces.
You can invite team members to access Mondoo at the organization level or at an individual space level, with different permission levels for each. This lets you control which team members can view or modify specific security data and configurations.
Organization members have access to all current spaces and workspaces within that organization, plus any spaces created in the future.
Role-based access control
You assign team members one or more roles to control what they can see and change in Mondoo. Roles fall into three groups:
- Base roles grant broad access. Most users have exactly one base role.
- Specialized roles add targeted permissions on top of a base role (typically Viewer) for fine-grained control. You can assign more than one specialized role to the same person.
- Service account roles apply to non-human identities such as agents, automation pipelines, and SCIM clients. You assign them through service accounts, not through team member invitations.
Roles are scoped to either an organization or a space. An organization-level role applies to every space within that organization, including spaces created later.
Base roles
These are the primary roles you choose when inviting a team member.
| Role | Scope | What they can do |
|---|---|---|
| Owner | Organization, space | Full administrative control. Owners can create and delete organizations and spaces, manage all team members, configure SSO, SCIM, and WIF, manage billing, and perform every action available to Editor and Viewer. |
| Editor | Organization, space | Day-to-day administrator. Editors manage team members, integrations, policies, query packs, compliance frameworks, exceptions, cases, dashboards, agents, and service accounts. They can update existing organizations and spaces but cannot create or delete them, and cannot manage billing. |
| Viewer | Organization, space | Read-only access to all content in the organization or space, including assets, findings, vulnerabilities, scores, policies, compliance frameworks, exceptions, cases, dashboards, reports, workspaces, and integrations. Viewers cannot make changes. |
Every team member also implicitly receives the Org Member role on their organization and the Space Member role on each space they can access. These baseline roles let users see that an organization or space exists and list its workspaces, assigned policies, and risk factors. You don't assign them directly.
Specialized roles
Combine these with the Viewer base role to grant targeted permissions without giving the team member full Editor access.
Policies and query packs
| Role | Scope | What they can do |
|---|---|---|
| Policy Editor | Space | Edit and validate policy bundles and read the policy registry. Cannot assign or unassign policies. |
| Policy Manager | Space | Full policy lifecycle: edit, validate, delete, and assign or unassign policies; set policy properties; read aggregate scores and exceptions tied to those policies. |
| Query Pack Editor | Space | Edit and validate query pack bundles and browse the query and resource registry. |
| Query Pack Manager | Space | Manage query pack bundles and browse the query and resource registry. |
Exceptions
| Role | Scope | What they can do |
|---|---|---|
| Exception Requester | Space | File exception requests on findings and extend existing exceptions. Cannot approve them. |
| Exception Reviewer | Space | Approve or deny exception requests submitted by others and extend exception review periods. |
Cases and tickets
| Role | Scope | What they can do |
|---|---|---|
| Ticket Creator | Space | Create and update cases and push them to connected ticketing integrations like Jira. Cannot close or delete cases. |
| Ticket Manager | Space | Full case lifecycle: create, update, close, delete, and process case events, plus create, update, and close tickets in connected ticketing integrations. |
Integrations and SLAs
| Role | Scope | What they can do |
|---|---|---|
| Integrations Manager | Space | Create, update, and delete integrations; get integration tokens; trigger actions; run discovery; suppress messages; and manage integration settings. |
| SLA Manager | Space | Read and update the security model used to configure SLAs, plus read policies, compliance frameworks, findings, and aggregate scores so SLA performance can be monitored. |
Billing
| Role | Scope | What they can do |
|---|---|---|
| Billing Manager | Organization | Manage the billing account and subscription, including opening billing sessions and updating subscription settings. |
Analytics and dashboards
| Role | Scope | What they can do |
|---|---|---|
| Policy Analytics Dashboard Viewer | Organization, space | Read-only access to the policy analytics view, including the list of policies for analytics, the workspace, assets and their assigned policies, and resource contacts. |
| BI Viewer | Space | Read-only access to BI dashboards, dashboard versions, scheduled exports, and the BI query proxy. |
Service account roles
These roles apply to non-human identities. Assign them when you create a service account.
| Role | Scope | What it allows |
|---|---|---|
| Agent | Space | Used by cnspec agents. Allows registration, telemetry and log reporting, asset sync, fetching assigned policies and bundles, storing scan results, uploading SBOMs, and getting scan parameters. |
| Gateway Agent | Space | Used by gateway-mode agents that proxy other agents. Adds registration-token generation and integration query capabilities on top of the Agent role. |
| Scan Job Runner | Space | Minimal role for automated scan jobs: sync assets, resolve and run policy jobs, store results, get upload URLs, and report integration status. |
| Export Runner | Space | Used by export integrations that pull data out of Mondoo. Provides read access to assets, policies, frameworks, vulnerabilities, scores, findings, and reports, plus document upload and status reporting. |
| VEX Importer | Space | Used by tools that bulk upload VEX, FEX, and SBOM data and close matching findings. |
| Deployment Manager | Space | Used by deployment automation. Creates, updates, and deletes integrations; gets integration tokens; triggers actions; and reads space and integration settings. |
| SCIM Identity Manager | Organization | Used by SCIM provisioning clients such as Okta and Microsoft Entra ID. Full CRUD on SCIM users and groups. |
| Platform Admin | Organization, space | Used by automated Mondoo Platform tooling and operators that need full system control. Holds broad organization and space CRUD, member and team management, integrations, policies, frameworks, billing, dashboards, and SCIM mapping. |
Add team members to an organization
To add additional team members to an organization:
-
Navigate to the organization to which you want to add a team member.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
Select the INVITE MEMBER button.
-
Enter the email address and select a role for the team member.
-
Select ADD.
The team member receives an email invitation to join the organization.
Add team members to a space
To add additional team members to a space:
-
Navigate to the space to which you want to add a team member.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
Select the INVITE MEMBER button.
-
Enter the email address and select a role for the team member.
-
Select ADD.
The team member receives an email invitation to join the space.
Resend or revoke an invitation
-
Navigate to the organization or space in which you want to resend or revoke an invitation.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
If the space or organization has any pending invitations, a Pending Invitations section is shown.
-
To resend an invitation, select the circular arrow icon beside the invitation's status.
-
To revoke an invitation, select the delete icon beside the invitation's status.
-
Edit a team member's role
-
Navigate to the organization or space in which you want to edit a team member's access.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
Select the team member you want to edit.
-
Select Add Roles to add new roles to the team member and then select Apply.
Delete a team member
-
Navigate to the organization or space from which you want to remove a team member's access.
-
In the side navigation bar, select Settings.
-
Select the Members tab.
-
Select the team member you want to remove.
-
Select Remove Member and then confirm the removal.
Overview
Control team member permissions, SSO integration, and non-human user access for your Mondoo organizations and spaces.
Manage Access with OIDC Groups
Automatically assign users to Mondoo teams based on identity provider group membership using OIDC group claims. An alternative to SCIM that requires no provisioning infrastructure.