Contentstack uses role-based access control (RBAC) to govern who can manage your organization and what they can do. Administration roles are organization-level roles that control organization-wide capabilities, such as managing users, roles, teams, security configuration, and audit logs.
Administration roles are separate from product roles. An Administration role governs the organization itself, while a product role governs access within a specific product, such as the CMS, Assets, or AgentOS. Every invited user receives at least one Administration role, and that role determines the level of organization-wide control they hold.
Contentstack provides four default Administration roles:
Note: The Administration Member role is distinct from product-specific Member roles, such as the Assets Member role. The Administration Member role controls organization access, while a product Member role controls access within that product.
The table below compares the four Administration roles across key organization-level capabilities:
| Capability | Admin | Security Manager | Product Analytics Viewer | Member |
|---|---|---|---|---|
| Organization users | Manage | View | — | — |
| Roles | Manage | View | — | — |
| Teams | Manage | View | — | — |
| Single Sign-On (SSO) | — | Manage | — | — |
| SCIM provisioning | Manage | Manage | — | — |
| Security configuration | Manage | Manage | — | — |
| Webhooks configuration | Manage | Manage | — | — |
| Organization analytics | View | — | View | — |
| Audit logs | View | View | — | — |
| Stacks | View | View | — | — |
| Organization information | View | View | View | View |
A user's effective access is determined by the combination of their Administration role and the product roles assigned to them. The Administration role sets organization-wide capabilities, and product roles scope what the user can do inside each product they are assigned.
For example, a user with the Member Administration role and the CMS Content Manager product role can work with content in their assigned stacks but cannot manage organization users or settings. A user with the Admin Administration role can manage the organization regardless of their product roles.