Roles & Permissions
Conto uses role-based access control (RBAC) to manage what each team member can do within an organization.Roles
| Role | Description |
|---|---|
| Owner | Full access. Can manage billing, settings, encryption keys, and all resources. One per organization. |
| Admin | Can manage agents, wallets, policies, API keys, and team members. Cannot change billing or encryption. |
| Manager | Can create and update agents, manage counterparties, approve transactions, and manage alerts. Cannot create wallets or policies. |
| Viewer | Read-only access to agents, wallets, policies, transactions, counterparties, alerts, and analytics. |
| Member | Limited access. Can view assigned resources but cannot modify anything. |
Permission Matrix
| Permission | Owner | Admin | Manager | Viewer | Member |
|---|---|---|---|---|---|
| Agents | |||||
| View agents | Yes | Yes | Yes | Yes | — |
| Create agents | Yes | Yes | Yes | — | — |
| Update agents | Yes | Yes | Yes | — | — |
| Delete agents | Yes | Yes | — | — | — |
| Suspend/freeze agents | Yes | Yes | Yes | — | — |
| Wallets | |||||
| View wallets | Yes | Yes | Yes | Yes | — |
| Create wallets | Yes | Yes | — | — | — |
| Fund wallets | Yes | Yes | — | — | — |
| Withdraw from wallets | Yes | — | — | — | — |
| Policies | |||||
| View policies | Yes | Yes | Yes | Yes | — |
| Create/edit policies | Yes | Yes | — | — | — |
| Transactions | |||||
| View transactions | Yes | Yes | Yes | Yes | — |
| Execute transactions | Yes | Yes | Yes | — | — |
| Approve transactions | Yes | Yes | — | — | — |
| Counterparties | |||||
| View counterparties | Yes | Yes | Yes | Yes | — |
| Manage counterparties | Yes | Yes | Yes | — | — |
| Alerts | |||||
| View alerts | Yes | Yes | Yes | Yes | — |
| Acknowledge/resolve | Yes | Yes | Yes | — | — |
| Analytics | |||||
| View analytics | Yes | Yes | Yes | Yes | — |
| Export data | Yes | Yes | — | — | — |
| Settings | |||||
| View settings | Yes | Yes | — | — | — |
| Modify settings | Yes | — | — | — | — |
| Team | |||||
| View members | Yes | Yes | Yes | Yes | — |
| Invite/remove members | Yes | Yes | — | — | — |
| API Keys | |||||
| View API keys | Yes | Yes | — | — | — |
| Create/revoke API keys | Yes | — | — | — | — |
Managing Members
Invite a Member
Go to Settings > Team > Invite Member. Enter the email and select a role.Change a Role
Only users with a higher role hierarchy can change another member’s role. An Admin can change a Manager’s role but not another Admin’s. Role hierarchy (highest to lowest): Owner > Admin > Manager > Viewer > Member.API Key Scopes
Organization API keys use scopes that map to these permissions. When creating a key, you can select a preset or pick individual scopes:| Preset | Scopes included |
|---|---|
| Read Only | *:read scopes only |
| Standard | Read + write for agents, wallets, policies, transactions, counterparties |
| Admin | All scopes (Owner-only) |