Home Account & Settings User Roles & Permissions

User Roles & Permissions

Last updated on Apr 25, 2026

User Roles & Permissions

KyberAccess uses a role-based access control (RBAC) system to ensure each team member has the appropriate level of access. From front desk staff who only need to check in visitors, to administrators who manage system-wide settings, roles define what each user can see and do.

This guide covers the five built-in roles, how to assign and change roles, and how to manage your team.

Understanding the Five Roles

KyberAccess includes five predefined roles, each with increasing levels of access:

1. View Only

The most restricted role, designed for users who need to observe but not interact.

Can:

  • View the dashboard and analytics
  • View visitor logs (read-only)
  • View active visitors
  • View reports (but not export)

Cannot:

  • Check in or check out visitors
  • Create pre-registrations
  • Modify settings
  • Export data
  • Manage users

Best for: Executives who want visibility, compliance officers reviewing data, or external auditors with temporary access.

2. Front Desk

Designed for reception staff who handle day-to-day visitor check-ins.

Can:

  • Check in and check out visitors
  • Create pre-registrations
  • Print badges
  • View active visitors and today's visitor log
  • Initiate ID scanning and NDA signing
  • Send host notifications
  • Log deliveries and packages

Cannot:

  • View historical reports beyond today
  • Export data
  • Modify check-in flow or settings
  • Manage watchlists
  • Add or remove users
  • Access audit trail

Best for: Receptionists, security desk staff, lobby attendants.

3. Manager

For team leads and location managers who need broader access and some administrative capabilities.

Can:

  • Everything Front Desk can do
  • View and export reports (for assigned locations)
  • View analytics and trends
  • Manage pre-registrations
  • View audit trail (for assigned locations)
  • Manage delivery/package logs
  • Activate emergency lockdown and evacuation (for assigned locations)

Cannot:

  • Modify organization-wide settings
  • Manage users or roles
  • Configure integrations or API keys
  • Modify watchlists
  • Access other locations' data (unless assigned)

Best for: Office managers, security supervisors, location leads.

4. Admin

Full access to all features except account-level billing and ownership transfer.

Can:

  • Everything Manager can do, across all locations
  • Manage all settings (check-in flow, branding, notifications, etc.)
  • Add, edit, and remove users
  • Assign and change roles
  • Manage watchlists and BOLO alerts
  • Configure integrations and API keys
  • View and export audit trail
  • Set up scheduled reports
  • Manage NDA/waiver templates

Cannot:

  • Transfer account ownership
  • Modify billing/subscription
  • Delete the account

Best for: IT administrators, security directors, operations managers.

5. Owner

The highest-level role with unrestricted access to everything.

Can:

  • Everything Admin can do
  • Manage billing and subscription
  • Transfer account ownership
  • Delete the account
  • Access all locations without restriction

Best for: Company owner, primary stakeholder, IT director.

Note: There can be multiple Owners on an account, but at least one Owner must always exist.

Role Permissions Matrix

Permission View Only Front Desk Manager Admin Owner
View dashboard Yes Yes Yes Yes Yes
Check in/out visitors No Yes Yes Yes Yes
Create pre-registrations No Yes Yes Yes Yes
Print badges No Yes Yes Yes Yes
View today's log Yes Yes Yes Yes Yes
View historical reports No No Yes Yes Yes
Export reports No No Yes Yes Yes
View analytics Yes No Yes Yes Yes
Manage settings No No No Yes Yes
Manage users No No No Yes Yes
Manage watchlists No No No Yes Yes
View audit trail No No Assigned locations Yes Yes
Configure API/integrations No No No Yes Yes
Emergency lockdown No No Assigned locations Yes Yes
Manage billing No No No No Yes
Transfer ownership No No No No Yes

Inviting Team Members

Sending an Invitation

  1. Navigate to Settings → Team from the left sidebar.
  2. Click + Invite Team Member.
  3. Enter the invitee's details:
    • Email Address — The email they'll use to log in
    • First Name and Last Name
    • Role — Select from Owner, Admin, Manager, Front Desk, or View Only
    • Location(s) — Assign one or more locations (relevant for Manager and Front Desk roles)
  4. Click Send Invitation.
  5. The invitee receives an email with a link to set up their password and log in.

Pending Invitations

  • Pending invitations appear in the Pending tab of the Team page.
  • Invitations expire after 7 days.
  • Click Resend to send the invitation again.
  • Click Revoke to cancel a pending invitation.

Changing a User's Role

  1. Go to Settings → Team.
  2. Find the user in the Active list.
  3. Click the pencil icon next to their name.
  4. Select a new role from the Role dropdown.
  5. If downgrading from Admin to Manager, assign specific locations.
  6. Click Save Changes.

Warning: Changing a user's role takes effect immediately. The user's permissions update on their next page load or action.

Managing Location Assignments

For Manager and Front Desk roles, location assignments determine which locations they can access:

  1. Go to Settings → Team.
  2. Click the pencil icon next to the user.
  3. In the Locations section, check or uncheck locations.
  4. Click Save Changes.

Users assigned to multiple locations can switch between them using the location selector in the top navigation bar.

Deactivating and Removing Users

Deactivating a User

  1. Go to Settings → Team.
  2. Click the toggle next to the user to deactivate their account.
  3. Deactivated users cannot log in but their data (audit trail entries, etc.) is preserved.
  4. Toggle the account back on to reactivate.

Removing a User

  1. Click the trash icon next to the user.
  2. Confirm the removal.
  3. The user loses all access immediately.
  4. Their historical activity in the audit trail is preserved but attributed to "[Removed User]".

Tip: Deactivate rather than remove users who may need access again in the future (e.g., seasonal staff).

Security Best Practices for Role Management

Principle of Least Privilege

Assign each user the minimum role needed for their job:

  • Reception staff → Front Desk
  • Department heads who occasionally review reports → View Only
  • IT staff managing the system → Admin
  • Building managers overseeing one location → Manager

Regular Access Reviews

  1. Go to Settings → Team.
  2. Review the user list quarterly.
  3. Check for:
    • Users who have left the organization (deactivate immediately)
    • Users with higher roles than they need (downgrade)
    • Inactive users who haven't logged in for 90+ days (consider deactivating)
  4. The Last Login column shows when each user last accessed the system.

Two-Factor Authentication

Enforce 2FA for users with elevated roles:

  1. Go to Settings → Security → Two-Factor Authentication.
  2. Toggle Require 2FA for Admins and Owners to On.
  3. Optionally, require 2FA for all users.
  4. Users must set up 2FA on their next login.

SSO and Directory Sync

Enterprise plans support Single Sign-On and directory synchronization:

SAML SSO

  1. Go to Settings → Security → SSO.
  2. Click Configure SAML.
  3. Enter your Identity Provider (IdP) details:
    • SSO URL
    • Entity ID
    • Certificate
  4. Map IdP groups to KyberAccess roles.
  5. Click Save & Test.

Google Workspace / Microsoft 365 Sync

  1. Go to Settings → Integrations → Directory Sync.
  2. Connect your Google Workspace or Microsoft 365 account.
  3. Map organizational units/groups to KyberAccess roles and locations.
  4. Enable Auto-Provisioning to automatically create and remove user accounts based on directory changes.

Troubleshooting

Issue Solution
User can't see certain features Check their role and location assignments. They may need a higher role or additional location access.
Invitation email not received Check spam folders. Verify the email address. Click Resend from the Pending tab.
Can't change a user's role Only Owners and Admins can change roles. You cannot downgrade your own role.
User sees "Access Denied" They may be trying to access a location they're not assigned to. Update their location assignments.
Deactivated user still showing data Deactivation preserves historical data. The user simply can't log in. This is by design for audit compliance.

Best Practices

  • Start with the least permissive role and upgrade only when needed.
  • Use location assignments to scope Manager and Front Desk access to only relevant facilities.
  • Require 2FA for all Admin and Owner accounts — these accounts have the most access and are the highest-value targets.
  • Review access quarterly — deactivate accounts that are no longer needed.
  • Document role assignments — maintain a record of who has what role and why, for compliance purposes.