Team access controls

Particle offers functionality to help you manage levels of access for your team members. This is helpful when overseeing a team of people who should have varying permissions with respect to Particle devices in your fleets.

This guide breaks down into two parts:

A summary of the available roles and a description of each
A permissions matrix for an in-depth look at what each role as access to

Team access controls was previously available to enterprise customers only but is now available to all products.

Roles

Roles represent a set of permissions that can be applied to a member of your product team.

You can view and set team-member-specific roles for each product on the Team page for the product in the Console:

A team member's role can also be set when inviting the user to your team.

The set of roles available to you are:

View-only: Read-only access to all information in the account, but cannot take any action.
Support: View access plus the ability to perform basic diagnostic and troubleshooting tasks.
Developer: Most create, view, update, and deletion abilities, without the ability to take major administrative actions.
Administrator: Full administrative access, including team management and irreversible destructive actions.

View-only

View-only is the most strict of the three product team member roles. It is designed specifically for people on your team that you'd only like to see information about your device fleet — but don't need to make updates.

Someone with the View-only role can:

List and inspect information about devices in the product
Observe a stream of events from devices in the product
View product configuration and settings

For team members who receive the View-only role, the actions they are not allowed to take will be disabled in the Console interface:

Disabled Access Controls
UI

Support

The Support role is best for the members of your team who specialize in providing customer service and "front line" support to deployed Particle devices in the field. The permissions associated with this role give these members of your team tools to interact with single devices, but limit access to fleet-wide management tools.

Someone with the Support role can:

Do everything a Read-only teammate can do +
Ping, call functions on, and read variables from individual devices
Use Diagnostics tools, like Device Vitals
Manage the lifecycle state and data limit of SIM cards

Developer

Developer is a role that is meant for the engineers on your team that are actively building and managing IoT projects with Particle. With this role, a person is granted both read & write access to Console and APIs, without the ability to take administrative actions. This includes team management and irreversible destructive actions.

Someone with the Developer role can:

Do everything a Support teammate can do +
Take fleet management actions — like adding a devices to groups or provision new devices into a Product
Create and manage OAuth clients on behalf of products
Create and manage Integrations
Upload and release product firmware to the fleet
Add/remove devices and SIM cards to and from the product

Administrator

The Owner of the product represents the highest level of access. There is one single owner for each product. The Owner role is automatically given to the creator of the product.

Someone with the Administrator role can:

Do everything a Developer teammate can do +
Manage the product team and teammates' roles
Edit product configuration and settings

There is also a special type of Administrator, reserved for the person acting as the account owner. This will appear as Administrator (Owner) in the Console. There will only be a single Owner assigned (multiple team members cannot have this role simultaneously).

Manage billing information related to the product

The Owner's role cannot be changed. The Owner also cannot be removed from the product team.

Permissions matrix

Product permissions

Action	Administrator (Owner)	Administrator	Developer	Support	View-only
Team
View Product team	✓	✓	✓	✓	✓
Manage Product team	✓	✓
Create Product API users	✓	✓
Fleet Health
View fleet health	✓	✓	✓	✓	✓
Devices
View device	✓	✓	✓	✓	✓
Subscribe to device events	✓	✓	✓	✓	✓
View Device Vitals	✓	✓	✓	✓	✓
Refresh Device Vitals	✓	✓	✓	✓
View Fleet Health	✓	✓	✓	✓	✓
Check device variables	✓	✓	✓	✓
Call device functions	✓	✓	✓	✓
Ping device	✓	✓	✓	✓
Add devices to Product	✓	✓	✓
Edit device info	✓	✓	✓
Flash firmware to devices	✓	✓	✓
Remove/unclaim devices	✓	✓	✓
Create device group	✓	✓	✓
Edit/delete device group	✓	✓	✓
Publish event	✓	✓	✓
SIM cards
View SIM card	✓	✓	✓	✓	✓
Update SIM lifecycle state	✓	✓	✓	✓
Change SIM data limit	✓	✓	✓	✓
Add new SIMs to Product	✓	✓	✓
Remove SIMs from Product	✓	✓	✓
Firmware
View Product firmware	✓	✓	✓	✓	✓
Upload firmware version	✓	✓	✓
Release firmware	✓	✓	✓
Edit firmware info	✓	✓	✓
Integrations
View Integrations	✓	✓	✓	✓	✓
Create new Integration	✓	✓	✓
Edit/delete Integration	✓	✓	✓
OAuth clients
View OAuth clients	✓	✓	✓	✓	✓
Create OAuth client	✓	✓	✓
Edit/delete OAuth client	✓	✓	✓
Customers
View Customers	✓	✓	✓	✓	✓
Create Customers	✓	✓	✓
Edit/delete Customers	✓	✓	✓
Settings
View Product settings	✓	✓	✓	✓	✓
Edit Product settings	✓	✓
Billing & Usage
View Billing & Usage	✓	✓

Organization permissions

Action	Administrator (Owner)	Administrator	Developer	Support	View-only
Team
View org team	✓	✓	✓	✓	✓
Manage org team	✓	✓
Create org API users	✓	✓
Owned Products
Create new Product	✓	✓	✓
Administrator role for all Products in org	✓	✓
Developer role for all Products in org			✓
Support role for all Products in org				✓
View-only role for all Products in org					✓