Skip to main content
Ultra Hub uses Role-Based Access Control (RBAC) to manage what users can do within your organization. Every user is assigned a role that determines their permissions across the Ultra Hub. Roles follow a strict hierarchy: Owner > Admin > Member > Viewer > Beacon. Higher roles inherit all permissions of lower roles.

Roles

Owner

Full organization control including billing, settings, and member management. The user who creates an organization is automatically assigned the Owner role. Owner is the only role that can delete the organization.
  • Full access to all organization, team, workspace, and gateway operations
  • Can manage members (invite, remove, change roles)
  • Can delete the organization
  • Can manage all teams and workspaces
  • Only Owners can promote other users to Owner

Admin

Can manage teams, workspaces, and members. Admins are your organization’s day-to-day managers who handle team structure and user onboarding.
  • Can view and update organization settings (cannot delete the org)
  • Can manage members: invite users, change roles (up to Admin), remove members
  • Can create, update, and delete teams and workspaces
  • Can manage gateways (create, link, unlink, archive, delete)
  • Can view the Admin Log
  • Can configure guardrails

Member

Can view and work within assigned teams and workspaces. Members are your standard users who interact with Ultra’s security features daily.
  • Read access to organization, team, and workspace information
  • Can create, register, and link owned gateways to workspaces
  • Can sync gateway data and send heartbeats
  • Cannot manage other users or modify org/team/workspace settings
  • Cannot view privileged materials (e.g., Admin Log)

Viewer

Read-only access to assigned teams and workspaces. Viewers can observe MCP traffic and security data but cannot make changes.
  • Read-only access to organization, team, and workspace information
  • Can link their own gateways
  • Cannot create or manage gateways
  • Cannot manage users or modify any settings
  • Cannot view privileged materials (e.g., Admin Log)

Beacon

Device-only role for gateways linked via ultra link. Beacon users have zero dashboard access and exist solely for gateway sync operations.
  • Can link and sync gateway data (traces, heartbeat) only
  • No dashboard access
  • No ability to read organization, team, or workspace data

Permissions Matrix

CapabilityOwnerAdminMemberViewerBeacon
View organization settings
Update organization settings
Delete organization
Create teams
Update/delete teams
Create workspaces
Update/delete workspaces
Invite members
Manage member roles
Remove members
Create gateways
Link own gateway
Unlink/archive gateways
Delete gateways
Sync gateway data
View dashboard & traffic
View Admin Log
Configure guardrails
View guardrails

Scope Hierarchy

Permissions are enforced at three entity levels, and roles cascade downward: Organization level: Controls org-wide settings, member management, and billing. Team level: Controls team membership and workspace management within a team. Workspace level: Controls gateway registration, linking, and MCP traffic visibility. A user’s role at the organization level automatically applies to all teams and workspaces within that organization. For example, an Org Admin has Admin permissions across all teams and workspaces without needing separate role assignments at each level.

Managing Roles

Via Hub Web UI

Navigate to your organization’s Members page in the Ultra Hub. Owners and Admins can change a member’s role using the role dropdown next to each member. Role changes take effect immediately. Important constraints:
  • Only Owners can assign or remove the Owner role
  • Admins can assign roles up to Admin (not Owner)
  • You cannot change your own role
  • The last Owner of an organization cannot be demoted or removed

Via Invitations

When inviting a new member, select the role they should receive. The invited user will be assigned that role upon accepting the invitation. Roles available for invitation depend on the inviter’s own role:
  • Owners can invite at any role level
  • Admins can invite at Admin level or below

Default Role Assignment

New users who join via invitation receive the role specified in the invitation. Users who create a new organization are automatically assigned the Owner role. For security, Ultra does not allow self-registration to an existing organization without an invitation. This prevents unauthorized users from gaining access.