Role-Based Access
Configure role-based access control for technicians in OpsPilot365. Roles determine base permissions, while granular permissions allow fine-tuning per technician.
Platform Roles
Administrator
Full Access
Complete access to all platform features and all customers. Can manage other technicians, configure platform settings, and access billing.
- Manage platform settings and integrations
- Create and manage technicians and teams
- Access all customers regardless of assignment
- View audit logs and reports
- Manage billing and subscriptions
Manager
Elevated
Can manage team members and has elevated permissions for assigned customers. Ideal for team leads and service delivery managers.
- Manage team members they lead
- Full access to assigned customers
- Approve escalations and sensitive actions
- View team metrics and reports
- Cannot access platform-wide settings
Technician
Standard
Standard support technician with access limited to assigned customers. Can perform day-to-day support tasks within their scope.
- Access assigned customers only
- Create and manage tickets
- Perform approved M365 operations
- View customer data within permissions
- Sensitive actions require manager approval
Read Only
Limited
View-only access for auditors, trainees, or stakeholders who need visibility without the ability to make changes.
- View customer data (no modifications)
- View tickets (cannot create or modify)
- Access reports and dashboards
- Cannot perform any M365 operations
Granular Permissions
Beyond roles, configure specific permissions per technician:
| Category | Permissions |
|---|---|
| Identity | Create users, reset passwords, manage groups, assign licenses |
| Devices | View devices, remote actions, wipe devices, manage profiles |
| Security | View alerts, respond to incidents, manage policies |
| Exchange | Manage mailboxes, configure rules, message traces |
| Licensing | View licenses, purchase licenses, manage CSP orders |
Authentication
Microsoft SSO
Technicians sign in with their Microsoft 365 work account. Leverages existing MFA and Conditional Access policies from your MSP tenant.
Local Accounts
Create platform-specific accounts for contractors or users without M365. Requires setting up platform MFA separately.
MFA Requirement
Enforce MFA for all technicians regardless of authentication method. Supports authenticator apps and hardware tokens.
API Reference
PUT /api/technicians/:id/permissions— Update granular permissions