> For the complete documentation index, see [llms.txt](https://docs.fullsession.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fullsession.io/16.-team-and-account-management.md). # 16. Team & Account Management FullSession is built for teams. This chapter covers how your account is organized, how to invite and manage users, how roles and permissions control who can do what, and how to manage your own profile. The permission keys referenced throughout this manual (like `dashboards:edit` or `alerts:create`) all come from the system described here. Most of these settings live under **Settings**, grouped into **Account Management** (profile, users, access control, audit log, SSO, subscription) and the data/integration settings covered in other chapters.

*** ### 16.1 How Your Account Is Organized FullSession's hierarchy has a few levels: | Level | What it is | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | **Account (Customer)** | Your organization — the top-level account, with one billing relationship | | **Site** | A web property you track ([Chapter 3](https://claude.ai/epitaxy/local_f5f6ba49-6bd2-4e30-b58d-b88360e08610#)); an account can have many sites | | **Team / Users** | The people in your account, who belong to one or more sites | | **Roles** | What each user is allowed to do — assignable **per site** |

FullSession account hierarchy showing one account with multiple sites and users assigned different roles across sites.

#### Roles are per-site A crucial detail: **roles are assigned per site**. The same person can be an **admin** on one site and a **viewer** on another within the same account. This lets larger organizations give teams full control of their own properties while keeping access to others read-only. *** ### 16.2 Inviting & Managing Users Users are managed under **Settings → Users** (requires the **view members** permission).

FullSession Users page showing members with assigned roles and an option to invite new members.

#### Inviting a member 1. Click **Invite New Member**. 2. Enter the teammate's **email**. 3. Assign one or more **roles** (you can invite several people at once). 4. Send. The invitee receives an email to join. Until they accept, they appear in the list as **Pending Invite**. You can **cancel** a pending invitation at any time.

FullSession invite dialog showing email entry, role assignment, and pending invites marked until accepted.

#### What the users list shows Each row shows the member's **name** (or *Pending Invite*), **email**, their **assigned roles** (with a tooltip of all role names), and when they were added. > **Note** — the users table does not display a "last login" column. Login activity is captured behind the scenes, but it isn't surfaced per-user in this list. #### Changing roles and removing users * **Assign/change roles** — use the per-user role selector to add or remove roles (this respects the per-site model). Requires the **assign roles** permission. * **Remove a user** — **Delete user** for an active member, or **Cancel invite** for a pending one. Requires the **remove members** permission. #### Built-in protections | Protection | Why | | --------------------------------------------------------- | ------------------------------------------ | | The **Owner** can't be removed or have their role changed | The account always has an owner | | You **can't change your own role** | Prevents accidentally locking yourself out | Permissions used on this page: **view members**, **invite members**, **remove members**, **assign roles**. *** ### 16.3 Roles & Permissions (RBAC) FullSession controls access through **roles** made up of granular **permissions**. There are built-in roles and, on plans that include it, fully **custom roles**.

FullSession Access Control page showing built-in and custom roles with permission counts and assigned member totals.

#### Built-in roles | Role | Access | | ------------------ | ------------------------------------------------------------------------- | | **Owner** | The account owner — full control; this role can't be edited or reassigned | | **Admin** | Full access across features | | **(Basic member)** | Limited access | Built-in system roles are **read-only** — you can assign them but not change their permissions. #### Custom roles (RBAC) On plans with role-based access control, you can create **custom roles** with exactly the permissions you choose — for example a "QA" role that can view sessions and use dev tools but can't manage billing or invite people. Custom roles are managed under **Settings → Access Control** (requires the **view roles** permission). #### The permission catalog Permissions are grouped by area. The major groups: | Area | Permissions (view / create / edit / delete unless noted) | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Sessions** | View, comment, use dev tools, pin | | **Dashboards** | View, create, edit, delete; create/edit/delete charts; edit layout | | **Heatmaps** | View, create, edit, delete | | **Segments** | View, create, edit, delete | | **Funnels** | View, create, edit, delete; view conversion analysis | | **Feedback** | View; manage/create/edit/delete widgets; view/delete responses; view response analysis | | **Alerts** | View, create, edit, delete | | **Element tracking** | Watch rules (view/create/edit/delete); labels (view/create/edit/delete) | | **Privacy rules** | Element & page rules (view/create/edit/delete); manage IP, session length, frustration, geolocation rules | | **Data** | Custom attributes (view/delete); site pages (view/create/edit/delete); excluded users (view/create/edit/delete) | | **Account** | Members (view/invite/remove); roles/RBAC (view/create/edit/delete/assign); audit log (view); SSO (view/create/edit/delete); subscription (view/manage); domains (view/create/edit/delete) | | **Developer** | API tokens (view/create/delete); integrations (view/create/delete) | > Throughout this manual, when a feature says *"requires the … permission,"* it's referring to one of these. #### How permissions are enforced Permissions control what you see and can do — buttons, menu items, and whole pages appear only if your role grants the matching permission, and access is enforced **per site**. (Security is ultimately enforced on the server, not just hidden in the UI.) *** ### 16.4 Creating a Custom Role If your plan includes RBAC, you can build a role from scratch under **Settings → Access Control → Create role** (requires the **create roles** permission).

FullSession Create Role screen showing role name, description, domain access, and a permission tree with toggle controls.

#### The role form 1. **Name** *(required)* — e.g. *"QA Reviewer."* 2. **Description** *(optional)* — what the role is for. 3. **Domain access** — choose **All sites** or **Limited**: * **All** — the role applies across every site. * **Limited** — restrict the role to specific sites (a *domain-limited* role). 4. **Permissions** — toggle the permissions on, using the **permission tree** (permissions are grouped hierarchically by area, as in section 16.3). 5. Save.

FullSession permission tree showing toggles to grant specific access grouped by feature area.

#### Editing and deleting roles From the Access Control list you can **edit** or **delete** custom roles (built-in system roles can't be changed). The list also shows how many **members** hold each role, so you can see a role's reach before changing it. These actions require the **edit roles** / **delete roles** permissions. > **Tip** — design roles around responsibilities, not individuals: a *"Support"* role (view + comment on sessions, view feedback) or an *"Analyst"* role (dashboards, segments, funnels) is easier to maintain than per-person tweaks. *** ### 16.5 Your Profile Every user manages their own details under **Settings → Profile** (no special permission needed — it's your own account).

#### What you can edit | Field | Notes | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | **First / last name** | Your display name | | **Avatar** | Upload and crop a profile image | | **Specialization** | Your area(s) — e.g. Data & Analytics, Marketing, Development, Product Management, Customer Support, Account Management, Digital Agency, UX Design | | **Organization name** | Shown for reference (read-only) | #### Security In the **Security** section you can **change your password** — available for password-based accounts. If you sign in via **SSO/SAML** (\[Chapter 18 — SSO]), password management happens with your identity provider, so the in-app change-password option doesn't apply. #### Account ownership & deletion The account owner has two additional controls in their profile: * **Account Ownership** — transfer ownership to another user. * **Danger Zone** — permanently delete the account and all associated data. > **What's not in profile settings** — there is **no two-factor authentication (2FA), no theme/dark-mode toggle, no language preference, and no self-service email change** in account settings. (To change a member's email, an admin updates it.) *** ### 16.6 Audit Log On plans that include RBAC, the **audit log** records administrative changes — who did what, and when. It's found under **Settings → Audit Log** and requires the **view audit log** permission (admins/owner).

FullSession Audit Log showing a searchable and filterable record of administrative actions across the account.

#### What's recorded Each entry captures: | Field | Detail | | ----------------- | ------------------------------------------------------------------------------ | | **User** | Who performed the action (name, email, avatar) | | **Action** | What was done (e.g. creating or editing a role, inviting or removing a member) | | **Site / domain** | Where it applied | | **Timestamp** | When it happened | The log focuses on **account and access changes** — role creation/edits, role assignments, and member invites/removals. #### Working with the log * **Search** by user name or action. * **Filter** by **email address** (specific users) or **domain** (specific sites). * **Sort** by time and page through the history. > **Audit log ≠ personal login history.** The audit log tracks administrative actions across the account; it isn't a per-user "where am I signed in" or login-history view (which FullSession doesn't provide). *** ### 16.7 The Settings Map Because the manual references many settings pages, here's a consolidated map of where things live and the permission each needs.

FullSession Settings map showing all panels grouped by category with the permissions that control access to each one.

| Category | Page | Gated by | Covered in | | ------------------- | ---------------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | | **Account** | Profile | — (your own) | This chapter | | | Users | view members | This chapter | | | Access Control (roles) | view roles | This chapter | | | Audit Log | view audit log | This chapter | | | SSO | view SSO | [Chapter 18](/18.-single-sign-on-sso.md) | | | Subscription | view subscription | [Chapter 17](/17.-billing-and-subscriptions.md) | | **Data Capture** | Setup / Installation | — | [Chapter 3](/3.-installing-the-tracker.md) | | | Privacy Rules | privacy-rules view | [Chapters 7](/7.-recording-rules-and-element-tracking.md) & [21](/21.-privacy-security-and-compliance.md) | | | API Tokens | view API tokens | Chapter 20 | | | Excluded Users | view excluded users | [Chapters 4](/4.-identifying-users.md) & [21](/21.-privacy-security-and-compliance.md) | | **Data Management** | Custom Attributes | view custom attributes | [Chapter 4](/4.-identifying-users.md) | | | Site Pages | view site pages | [Chapter 7](/7.-recording-rules-and-element-tracking.md) | | | Element Tracking | watch rules + labels | [Chapter 7](/7.-recording-rules-and-element-tracking.md) | | **Integration** | Integrations | view integrations | [Chapter 19](https://claude.ai/epitaxy/local_f5f6ba49-6bd2-4e30-b58d-b88360e08610#) | | **Site** | Manage Domains | view domains | [Chapter 3](/3.-installing-the-tracker.md) | > **The big picture** — your account is a **Customer** containing **Sites** and **Users**, with **roles assigned per site**. Built-in **Owner** and **Admin** roles cover the basics; **custom RBAC roles** (on supporting plans) let you grant any subset of the \~99 permissions, optionally limited to specific sites. You manage members under **Users**, your own details under **Profile** (including ownership transfer and account deletion), and review administrative changes in the **Audit Log**. There's no 2FA, theme, or language setting, and login history isn't surfaced. *** > **Next up:** \[Chapter 17 — Billing & Subscriptions] covers plans, member-seat limits, and the subscription controls referenced throughout this chapter. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.fullsession.io/16.-team-and-account-management.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.