# Difference between Admin, Member, and Guest roles?

Every user on an Oh Dear team has one of three roles: **Admin**, **Member**, or **Guest**. Here's the short version:

| Action | Admin | Member | Guest |
| --- | :---: | :---: | :---: |
| View monitors and check results | Yes | Yes | Yes |
| Generate API tokens | Yes | Yes | Yes |
| Add, edit, or delete monitors | Yes | Yes | No |
| Configure check settings and notifications | Yes | Yes | No |
| Create and edit status pages | Yes | Yes | No |
| Manage maintenance windows | Yes | Yes | No |
| Invite, promote, or remove team members | Yes | No | No |
| Manage billing, plan, and payment method | Yes | No | No |
| Manage team settings (SSO, 2FA enforcement) | Yes | No | No |
| Transfer team ownership (owner only) | Yes | No | No |

A bit more context on each role below.

## Admin

- Everything Members can do
- **Billing**: view invoices, update payment method, change plan, cancel subscription
- **Team management**: invite, promote, demote, or remove users
- **Team settings**: SSO, 2FA enforcement, notification defaults
- **Transfer ownership** (owner only)

Admins have full control of the team, including billing. Pick admins sparingly, especially for finance-sensitive actions.

## Member

- Add, edit, and delete monitors
- Configure check settings (including custom headers and credentials)
- Acknowledge, snooze, and adjust downtime incidents
- Manage maintenance windows
- Create and edit status pages
- Configure notification channels at the monitor or team level

Members have full operational control over monitoring but can't touch billing or team membership.

## Guest

- **View** monitors, check results, and uptime reports
- **Generate API tokens** bound to their account (those tokens inherit Guest permissions)
- Cannot create, edit, or delete monitors
- Cannot manage team or billing

Guest is the closest thing we have to a "read-only" role. It's the right role for:

- Stakeholders who want dashboards but shouldn't change configuration
- External observers (auditors, consultants)
- [API tokens that need read-only access](/docs/faq/can-i-create-read-only-api-keys)

## Limiting a member or guest to specific sites

Roles decide what someone can *do*. Access scoping decides what they can *see*. The two are separate, and you can combine them.

When you invite someone, or when you edit an existing team member, you don't have to give them the whole team. Click the **"Can access everything"** link (it shows as **Change** next to an existing member) and a modal lets you pick exactly which monitors and status pages they're allowed to view.

This is what makes Oh Dear work well for agencies. Invite each client as a **Guest** and limit them to just their own site. They get a read-only view of their own monitoring, on your existing team and plan, without seeing anyone else's monitors. No need to spin up a separate team per client. See [User management](/docs/features/user-management) for the full walkthrough.

## Who sees what notifications?

Notification channels are configured per-monitor or at the team level, independent of the role. Adding someone as a Member doesn't automatically subscribe them to all alerts. Configure their notification preferences explicitly after invitation.