Roles and permissions

What Admin, Service Manager, and Engineer roles can do in the admin app.

Admin User Roles & Permissions

Maintella’s admin side supports three roles: Admin, Service Manager, and Engineer.
This page explains what each role can do, where permissions differ, and how common user-management actions work.

πŸ’‘ Use case: A service manager should be able to invite an engineer and update workflows, but should not be able to configure integrations or grant Admin access.


πŸ“– Roles at a Glance

Admin

Admins can manage everything in the admin application, including sensitive account and integration configuration.

Service Manager

Service Managers handle day-to-day operations and team coordination:

  • Can edit workflows
  • Can invite users (Service Managers or Engineers)
  • Can view reports
  • Cannot manage integrations
  • Cannot invite or promote Admin users

Engineer

Engineers can run operations but are restricted from management and reporting features:

  • Can assign and manage work
  • Can view workflows
  • Can manage assets and operational URL flows
  • Cannot access user management
  • Cannot access reports
  • Cannot manage integrations

βœ… Permission Matrix

CapabilityAdminService ManagerEngineer
View Dashboardβœ…βœ…βœ…
View Workflowsβœ…βœ…βœ…
Create / Edit / Publish Workflowsβœ…βœ…βŒ
View / Edit Assetsβœ…βœ…βœ…
Create / Assign / Update Tasksβœ…βœ…βœ…
Manage Access URLs / short URL batches (generate, claim, CSV/PDF export)βœ…βœ…βœ…
View Reportsβœ…βœ…βŒ
Manage Integrationsβœ…βŒβŒ
Organization settings (e.g. form definitions)βœ…βŒβŒ
Access Users pageβœ…βœ…βŒ
Invite Usersβœ…βœ… (no Admin invites)❌
Change User Rolesβœ…βœ… (no Admin promotions)❌
Deactivate / Reactivate Usersβœ…βœ… (cannot target Admin users)❌

βš™οΈ User Management Rules

Inviting New Users

  • Admin can invite any role.
  • Service Manager can invite:
    • service_manager
    • engineer
  • Engineer cannot invite users.

If no role is provided during invitation, the system defaults the invited user to Engineer.

Editing Roles

  • Admins can change any non-self target user’s role.
  • Service Managers can change roles between Service Manager and Engineer.
  • Service Managers cannot promote anyone to Admin.

Deactivating Users

Deactivation is soft deactivation:

  • User stays in the database
  • Existing OAuth tokens are revoked
  • User is logged out and cannot authenticate while deactivated

Reactivation restores login access.

⚠️ Important: The system blocks changes that would leave an organization with no active Admin users.


πŸ” Guardrails & Safety Rules

To prevent accidental lockouts or privilege escalation, the platform enforces these rules:

  • A Service Manager cannot modify an Admin account.
  • A user-management action cannot target the acting user through admin user-management endpoints.
  • Role changes/deactivation are validated to preserve at least one active Admin in the organization.
  • Deactivated users are denied access even if they still have an old token.

πŸ“± UI Behavior by Role

The admin UI hides inaccessible features:

  • Engineers do not see Users and Reports navigation entries.
  • Users without permission are redirected away from restricted routes.
  • User-table actions (edit role, resend invite, deactivate/reactivate) only appear when permitted for the current actor and target user.

❓ Frequently Asked Questions

Can a Service Manager create another Service Manager?

Yes. Service Managers can invite Engineers and Service Managers, but never Admins.

Can an Engineer view the Users page in read-only mode?

No. Engineers are blocked from user management entirely.

Is deactivation the same as deletion?

No. Deactivation is reversible and preserves history/audit context. It revokes active sessions and blocks future login until reactivated.

What happens if someone tries to demote the last active Admin?

The change is rejected by validation. At least one active Admin must always remain in each organization.


Did this answer your question?

Last updated on May 6, 2026