Roles and permissions
What Admin, Service Manager, and Engineer roles can do in the admin app.
Admin User Roles & Permissions
Maintellaβs admin side supports three roles: Admin, Service Manager, and Engineer.
This page explains what each role can do, where permissions differ, and how common user-management actions work.
π‘ Use case: A service manager should be able to invite an engineer and update workflows, but should not be able to configure integrations or grant Admin access.
π Roles at a Glance
Admin
Admins can manage everything in the admin application, including sensitive account and integration configuration.
Service Manager
Service Managers handle day-to-day operations and team coordination:
- Can edit workflows
- Can invite users (Service Managers or Engineers)
- Can view reports
- Cannot manage integrations
- Cannot invite or promote Admin users
Engineer
Engineers can run operations but are restricted from management and reporting features:
- Can assign and manage work
- Can view workflows
- Can manage assets and operational URL flows
- Cannot access user management
- Cannot access reports
- Cannot manage integrations
β Permission Matrix
| Capability | Admin | Service Manager | Engineer |
|---|---|---|---|
| View Dashboard | β | β | β |
| View Workflows | β | β | β |
| Create / Edit / Publish Workflows | β | β | β |
| View / Edit Assets | β | β | β |
| Create / Assign / Update Tasks | β | β | β |
| Manage Access URLs / short URL batches (generate, claim, CSV/PDF export) | β | β | β |
| View Reports | β | β | β |
| Manage Integrations | β | β | β |
| Organization settings (e.g. form definitions) | β | β | β |
| Access Users page | β | β | β |
| Invite Users | β | β (no Admin invites) | β |
| Change User Roles | β | β (no Admin promotions) | β |
| Deactivate / Reactivate Users | β | β (cannot target Admin users) | β |
βοΈ User Management Rules
Inviting New Users
- Admin can invite any role.
- Service Manager can invite:
service_managerengineer
- Engineer cannot invite users.
If no role is provided during invitation, the system defaults the invited user to Engineer.
Editing Roles
- Admins can change any non-self target userβs role.
- Service Managers can change roles between Service Manager and Engineer.
- Service Managers cannot promote anyone to Admin.
Deactivating Users
Deactivation is soft deactivation:
- User stays in the database
- Existing OAuth tokens are revoked
- User is logged out and cannot authenticate while deactivated
Reactivation restores login access.
β οΈ Important: The system blocks changes that would leave an organization with no active Admin users.
π Guardrails & Safety Rules
To prevent accidental lockouts or privilege escalation, the platform enforces these rules:
- A Service Manager cannot modify an Admin account.
- A user-management action cannot target the acting user through admin user-management endpoints.
- Role changes/deactivation are validated to preserve at least one active Admin in the organization.
- Deactivated users are denied access even if they still have an old token.
π± UI Behavior by Role
The admin UI hides inaccessible features:
- Engineers do not see Users and Reports navigation entries.
- Users without permission are redirected away from restricted routes.
- User-table actions (edit role, resend invite, deactivate/reactivate) only appear when permitted for the current actor and target user.
β Frequently Asked Questions
Can a Service Manager create another Service Manager?
Yes. Service Managers can invite Engineers and Service Managers, but never Admins.
Can an Engineer view the Users page in read-only mode?
No. Engineers are blocked from user management entirely.
Is deactivation the same as deletion?
No. Deactivation is reversible and preserves history/audit context. It revokes active sessions and blocks future login until reactivated.
What happens if someone tries to demote the last active Admin?
The change is rejected by validation. At least one active Admin must always remain in each organization.
Did this answer your question?
Last updated on May 6, 2026