Users and Roles
PowerWAF allows you to invite team members to collaborate on managing your protected websites. Each team member is assigned a role that determines what actions they can perform within your account.
Overviewβ
When you create a PowerWAF account, you automatically become the Owner of that organization. As the owner, you can invite other users to join your team and assign them specific roles based on their responsibilities.
This role-based access control ensures that:
- Sensitive operations are restricted to authorized users
- Team members have the permissions they need to do their job
- Your security configuration remains protected from accidental changes
Available Rolesβ
PowerWAF offers four distinct roles, each with different levels of access:
| Role | Description |
|---|---|
| Owner | Full control over the account, including team management. |
| Admin | Can perform all operations except ownership transfer. |
| Editor | Can view and modify existing resources, but cannot create or delete. |
| Read-only | Can only view resources. No modifications allowed. |
Permission Matrixβ
The following table shows what each role can do:
| Action | Owner | Admin | Editor | Read-only |
|---|---|---|---|---|
| View sites and configurations | β | β | β | β |
| View SSL certificates | β | β | β | β |
| View WAF rules | β | β | β | β |
| View DNS records | β | β | β | β |
| View statistics and logs | β | β | β | β |
| Modify site settings | β | β | β | β |
| Modify WAF rules | β | β | β | β |
| Modify DNS records | β | β | β | β |
| Assign SSL certificates | β | β | β | β |
| Configure HTTP redirection | β | β | β | β |
| Modify access control zones | β | β | β | β |
| Create new sites | β | β | β | β |
| Delete sites | β | β | β | β |
| Add SSL certificates | β | β | β | β |
| Delete SSL certificates | β | β | β | β |
| Add domains | β | β | β | β |
| Create access control zones | β | β | β | β |
| Delete access control zones | β | β | β | β |
| Invite team members | β | β | β | β |
| Remove team members | β | β | β | β |
| Change member roles | β | β | β | β |
| Promote to owner | β | β | β | β |
| Manage billing and payments | β | β | β | β |
| Delete account | β | β | β | β |
Role Detailsβ
Ownerβ
The Owner is the original creator of the account and has complete control over all aspects of the organization.
Key characteristics:
- There can be multiple owners per organization
- Can promote other members to owner role
- Can remove other team members, including other owners
- Has access to billing and subscription management
- Can delete the entire account
Be careful when promoting users to owner role, as they will have full control over the account, including the ability to remove other owners.
Adminβ
Admins have nearly full control and can manage all resources.
Admins can:
- Create, modify, and delete all protected sites
- Manage SSL certificates
- Configure WAF rules and security settings
- Add and manage domains
- Create and delete access control zones
Admins cannot:
- Manage team members (invite, remove, or change roles)
- Manage billing and payments
- Promote users to owner
- Delete the account
Assign the Admin role to trusted team members who need full control over the technical infrastructure without access to team management.
Editorβ
Editors can modify existing resources but cannot create or delete them.
Editors can:
- Modify site configurations (target IP, protocol, port)
- Update WAF rules and monitor mode settings
- Edit DNS records
- Assign or change SSL certificates on existing sites
- Configure HTTP redirections
- Modify access control zone settings
Editors cannot:
- Create new sites or domains
- Delete sites, certificates, or domains
- Manage team members or invitations
- Create or delete access control zones
The Editor role is ideal for developers or operations staff who need to maintain existing configurations without the ability to add or remove resources.
Read-onlyβ
Read-only users can view all resources but cannot make any changes.
Read-only users can:
- View all protected sites and their configurations
- View SSL certificates and their details
- View WAF rules and their current state
- View DNS records
- View statistics and security logs
- View access control configurations
Read-only users cannot:
- Modify any resource or configuration
- Create or delete any resource
- Manage team members
The Read-only role is perfect for auditors, managers, or team members who need visibility into the security configuration without the ability to make changes.
Managing Your Teamβ
Inviting Team Membersβ
To invite a new team member:
- Go to Settings β Team
- Click Invite Member
- Enter the email address of the person you want to invite
- Select the role you want to assign
- Click Send Invitation
The invited user will receive an email with a link to join your organization. Once they accept the invitation, they will have access based on their assigned role.
Changing Rolesβ
Only the Owner can change the role of team members:
- Go to Settings β Team
- Find the team member you want to modify
- Click the role dropdown next to their name
- Select the new role
- Confirm the change
Role changes take effect immediately. The user will see their new permissions on their next action.
Removing Team Membersβ
To remove a team member:
- Go to Settings β Team
- Find the team member you want to remove
- Click the Remove button
- Confirm the removal
Removing a team member is immediate and cannot be undone. You can always invite them again if needed.
Notifications and Announcementsβ
All team members, regardless of their role, receive notifications and announcements. This includes:
- System notifications: Important updates about your protected sites
- Security alerts: Notifications about detected threats or anomalies
- Service announcements: Platform updates, maintenance windows, and new features
Each user can:
- View their own notifications
- Mark notifications as read or unread
- Dismiss announcements
Notifications are personal to each user. Marking a notification as read does not affect other team members.
Best Practicesβ
Principle of Least Privilegeβ
Assign users the minimum role necessary for their job:
- Use Read-only for users who only need to monitor
- Use Editor for users who maintain configurations
- Reserve Admin for users who need to manage resources and team
- Keep Owner access limited to account administrators
Regular Access Reviewsβ
Periodically review your team members and their roles:
- Remove users who no longer need access
- Downgrade roles when elevated access is no longer needed
- Ensure critical operations have proper oversight
Secure Invitation Practicesβ
When inviting new members:
- Verify the email address belongs to the intended person
- Start with a lower role and upgrade if necessary
- Communicate the access granted to new team members
Frequently Asked Questionsβ
Can I have multiple owners?β
Yes, you can have multiple owners in an organization. All owners have the same level of access and can manage the team and account settings.
What happens if an owner leaves the company?β
If there are other owners in the organization, they can remove the departing owner from the team.
If the last owner leaves, the company should retain access to the owner's email address to recover the account password through the standard password recovery process. For security reasons, PowerWAF support cannot grant owner access to other users.
We recommend having at least two owners in your organization to avoid access issues if one owner becomes unavailable.
Can a read-only user see sensitive data?β
Read-only users can view configurations and logs but cannot see sensitive data like SSL private keys. Certificate details shown are limited to public information (domains, expiration, issuer).
Will changing a user's role log them out?β
No, role changes take effect on the user's next action. They do not need to log out and back in.
Can I create custom roles?β
Currently, PowerWAF offers four predefined roles. Custom roles are not available at this time.