Skip to main content
FeaturesPricingFor TeamsEnterpriseDocs
Log in to your account

Card required to begin • Setup in 5 minutes

BeginnerAccount and Billing

Team Management

Invite team members, assign roles, configure permissions, and manage access in NimbusOS with owner, admin, member, and viewer roles.

8 min read
Updated April 23, 2026
1,700 words

Team Management is where you add people to your workspace, assign roles, and control who can do what. The role model has four levels with predictable boundaries. This article covers the role definitions, the invitation flow, the permission overrides, and the common patterns for agency teams with sub-client contributors.

The Four Roles

Every WorkspaceMember has a role from a fixed set.

Owner

Full access. Can change billing, delete the workspace, and change other members' roles. Only one owner can exist per workspace by default; you can promote to co-owner if needed.

Owners see everything. They can pause campaigns, delete contacts, rotate API keys, and approve every action the platform allows.

Admin

Full access except workspace-level destructive actions. Admins can manage team members, change most settings, and operate campaigns. They cannot delete the workspace or change ownership.

A typical team has 1 to 3 admins: the outbound operations lead, the sales manager, the deliverability operator.

Member

Operational access. Can create campaigns, manage contacts, view analytics, and edit their assigned sequences. Cannot invite team members, cannot change billing, cannot manage integrations, cannot view audit logs.

SDRs, copywriters, and operations staff usually sit at member level.

Viewer

Read-only access. Can see contacts, campaigns, and analytics but cannot edit or create. Useful for:

  • Client contacts who need visibility but not control
  • Executives who review dashboards without operational involvement
  • Outside auditors and consultants

Viewer seats are usually unlimited on most plans.

Inviting a Member

Go to Team Management and click Invite Member. Fill in:

  • Email. The person's email address. An invite email is sent.
  • Role. One of owner, admin, member, viewer.
  • Custom permissions. Optional overrides (see below).
  • Notification preferences. Default notifications for the new member. They can change these later.

The invited person receives an email with a one-click accept link. The link is single-use and expires after 7 days.

On accept, the new member sets a password (or signs in via SSO if configured), accepts the Terms of Service, and lands in the workspace dashboard.

Custom Permissions

On top of the four roles, custom per-user permissions fine-tune access.

Examples:

Admin who cannot change billing. Useful when you have multiple admins but want to centralize billing with one person.

Member with access to integrations. A member who needs to set up a Slack integration without full admin powers.

Viewer who can export contacts. Someone who needs to pull data but not modify it.

Custom permissions override the default role. The permissions editor shows each permission grouped by resource (contacts, campaigns, sequences, etc.) with checkboxes for read, write, delete, and specific actions.

Team Roster

The Team Management page shows every member with:

  • Name and email
  • Role
  • Status (active, pending invite, suspended)
  • Last login
  • Invited by

Filters and search help with larger teams.

Suspending and Removing Members

Suspend. The member cannot log in but their data (contacts they created, campaigns they own) remains intact. Useful for temporary leave or investigation.

Remove. Full removal. The member's access is revoked. Data they owned is reassigned to another member (usually the owner) during the removal flow.

Removing a member does not delete the content they created. Campaigns, contacts, and sequences are workspace-owned, not user-owned.

Agency Patterns

Agencies running outreach for multiple sub-clients usually have three tiers of team members.

Agency leadership

Owners and admins who manage everything. Usually 2 to 5 people. Access to all sub clients.

Per sub-client operators

Members scoped to specific sub clients through custom permissions. They can create campaigns, manage contacts, and run analytics for their assigned sub clients but cannot see others.

Scoping is done by attaching a client_id filter to the member's access. Resources tagged with other client_id values are invisible to them.

Sub-client viewers

Client contacts invited as viewers. They see only their own sub-client's data (enforced by client scoping) and cannot edit anything.

Role Change Flow

Changing a member's role is immediate. The Team Management page has a role dropdown per member; changing it takes effect on the next page load for that user.

Some changes require confirmation:

  • Promoting a member to admin or owner
  • Demoting an owner to admin (requires another owner to exist)
  • Bulk role changes across multiple members

All role changes write to the audit log.

Invitation Reminders

A pending invite sits in the team roster for 7 days before expiring. You can resend or extend from the invite detail.

Automated reminders fire at day 3 and day 6. If the invitee does not accept, the invite auto-expires on day 7 and is hidden from the default view.

SSO and Provisioning

For enterprise workspaces using SSO, team provisioning can be automatic via SCIM.

When a user is assigned to the NimbusOS SCIM group in your identity provider (Okta, Azure AD), the user is automatically created as a member. Removing them from the group suspends their access.

SCIM supports:

  • Just-in-time user creation
  • Role assignment via group mapping
  • Automatic suspension on IdP removal
  • Profile attribute sync (display name, email)

Configuration is in Security -> SSO. SCIM requires an enterprise tier.

Activity and Accountability

Every action in the platform attributes to the user who took it. Audit logs, contact change history, and campaign launch logs all carry the user ID.

This matters for accountability. When a campaign auto-paused because of a deliverability event, the audit log shows who resumed it and when. When a contact was manually tagged, the tag history shows which user added the tag.

For agencies, the client-facing reports hide user attribution by default. Clients see the campaigns and metrics, not who on the agency team managed them.

Notification Routing

Team members can be set as default recipients for specific alert types.

  • Deliverability alerts. Usually the deliverability operator (admin with custom permissions).
  • Positive reply notifications. The account owner for the account where the reply came in.
  • Billing alerts. The finance contact (often admin or owner).
  • System notifications. Workspace-wide broadcast or a designated ops role.

Routing configuration is in Account Settings -> Notifications.

Cross-Workspace Access

A single email can be a member of many workspaces. When the user logs in, they pick a workspace from the switcher.

For agencies running multiple NimbusOS instances (rare, most run one with sub clients), the same email works across all instances without a separate invite.

Troubleshooting

"Invited member did not receive the email"

Check spam. The invite email is sent from invitations@getnimbusos.com. Also verify the email was typed correctly; a common mistake is misspelling the domain.

"Member accepted but cannot log in"

Check status in team roster. Sometimes an invite is accepted but the password setup was interrupted. Resend the invite with "password reset" flag.

"Admin cannot change a setting they should be able to change"

Custom permissions may have overridden the default role. Check the member's permission detail. Reset to role defaults if the overrides are wrong.

"Role change not taking effect"

Browser cache of the target user. They should log out and back in, or force-refresh the app.

Frequently Asked Questions

Is there a seat limit per plan?

Yes. See Plans and Pricing. Typical plan tiers:

  • Starter: 3 users
  • Professional: 10 users
  • Business: 50 users
  • Enterprise: unlimited

Viewers are usually unlimited regardless of plan.

Can I create custom roles beyond the four defaults?

Not directly. The four-role model plus custom permissions covers almost every use case. True custom roles (with a named role like "Deliverability Operator" that acts as a first-class entity) are an enterprise request.

Does suspending a member pause their in-flight work?

Campaigns the member owns continue running. The member cannot modify them while suspended. If the campaigns need attention (for example, a reply needs a response), another member must cover.

How does agency client scoping work when a client has multiple users?

Each user on the sub-client side is a separate viewer (or, if allowed, member) with their own login. Scoping applies per user, not per client. Two users from the same sub client see the same data.

What to Read Next

Useful next pages after this one: Account Settings for workspace-level configuration, Plans and Pricing for seat counts and billing, and Usage and Limits for seat limits in context.

Related articles

Account and Billing

Account Settings

Manage profile, workspace, security, SSO, white label, and compliance settings in NimbusOS, with per-role permission boundaries.

Account and Billing

Plans and Pricing

NimbusOS pricing, the 14-day card-required free trial, and how to manage your subscription through the Stripe Customer Portal.

Account and Billing

Usage and Limits

Understand NimbusOS usage quotas for contacts, sends, enrichments, API calls, and seats; monitor consumption and handle overages before they impact campaigns.

Analytics and Reporting

A/B Testing

Test subject lines, openers, CTAs, and send timing in NimbusOS with multi-variant traffic allocation, automated winner selection, and statistical confidence gating.

Still stuck?

Our team answers every support ticket. If the answer is not in the docs, open a ticket and we will write the missing page.

Contact supportBook a demo