Admins & Access
The Admins & Access page (Dashboard > Org > Admins & Access) is where organization owners manage the people who operate the organization console: inviting new org admins, assigning their roles, disabling accounts, and controlling exactly which tenants each admin can see and manage.
Org admins are separate from the admins inside each tenant. A tenant admin signs in to one customer environment; an org admin signs in to the organization console and works across the tenants your organization manages.
[SCREENSHOT PLACEHOLDER: The Admins & Access page showing the "Organization admins" list with several admins, their role and status badges, and the "Invite admin" button in the top right]
How it works
Every org admin has three things that together determine what they can do:
- A role — what kind of actions they can perform (see the role table below).
- A status — Active or Inactive. Inactive admins cannot sign in.
- A tenant access scope — which of your organization's tenants they can work with. By default an admin can access all tenants; you can narrow this to a specific set using the per-tenant access matrix.
Only organization owners can make changes on this page — inviting, editing, or disabling admins and changing tenant access are all owner-only actions, and this is enforced by the platform itself, not just hidden in the interface. Admins with other roles can view the page but see a read-only list.
Org roles
When you invite or edit an admin, you choose one of four roles:
| Role | What it allows |
|---|---|
| Org Owner | Full control of the organization and all its tenants, including managing admins, org policies, templates, and tenant lifecycle |
| Org Admin | Manage tenants, org policies, and org settings |
| Org Analyst | Read-only across the org, plus alert triage in tenants |
| Org Viewer | Read-only across the org |
Keep the number of Org Owners small. All organization-level changes — creating tenants, editing org policies, deploying policy templates, managing admins — require the Org Owner role.
Using the page
Invite an org admin
- Click Invite admin.
- In the Invite org admin dialog, enter the admin's Email and Display name, and pick a Role.
- Click Invite.
A Temporary password card appears after creation with the note: "Share this once with the new admin. They must change it on first login." Copy the password and deliver it to the new admin through a secure channel, then click Dismiss. The password is shown only once and the admin is forced to set their own password the first time they sign in.
[SCREENSHOT PLACEHOLDER: The "Invite org admin" dialog with Email, Display name, and Role fields, and the note that a one-time temporary password will be shown after creation]
Edit an admin
Click the pencil icon next to an admin to open the Edit org admin dialog. You can change the Display name, Role, and Status (Active or Inactive). The email address cannot be changed after creation.
Setting an admin to Inactive prevents them from signing in without removing their record — useful for temporary leave or pending offboarding.
Disable an admin
Disabling is the stronger action: it disables the account and revokes all of the admin's active sessions immediately. Because it is destructive, it requires two confirmation steps:
- Click the disable icon next to the admin. A Re-authenticate to disable prompt asks you to confirm your own password (if you sign in with SSO, you are re-verified through your SSO session instead).
- In the Disable org admin confirmation, type the admin's email address exactly to confirm, then click Disable.
The per-tenant access matrix
Click an admin's name in the list to open the Per-tenant access card for that admin. This is where you scope which tenants the admin can work with.
[SCREENSHOT PLACEHOLDER: The "Per-tenant access" card for a selected admin, showing the all-tenants default banner and the list of tenants with checkboxes and per-tenant role selectors]
There are two modes:
- All tenants (default) — an admin with no explicit grants can access every tenant in the organization. The card shows a banner: "All tenants (default — no explicit scope). Granting any tenant below switches this admin to a scoped set and revokes access to the rest." In this mode no individual tenant is checked.
- Scoped — the admin can access only the checked tenants. The card reads: "Scoped — this admin can access only the checked tenants below."
To scope an admin:
- Check the first tenant they should have access to. This switches the admin from "all tenants" to a scoped set — from that moment they can only reach checked tenants.
- Check any additional tenants they need.
- For each checked tenant, choose a role from the dropdown: Owner, Admin, Analyst, or Viewer. This is the admin's effective role on that tenant — it can differ from their org-level role, so you can, for example, give an Org Admin read-only Viewer access on a sensitive tenant. New grants default to the admin's own org-level role.
- Uncheck a tenant to revoke access to it.
Tenant scoping applies everywhere in the organization console: cross-tenant dashboards, the combined alerts view, tenant switching, and policy template deployments are all limited to the admin's accessible tenants.
Multi-factor authentication (MFA)
Admins who have MFA enabled show an MFA badge next to their status in the list. An org admin with MFA enabled is prompted for their verification code every time they sign in to the organization console, including after a forced password change.
Self-service MFA enrollment is not currently available from the organization console interface — there is no setup screen for org admins to enroll themselves yet. If you need MFA enabled for org-admin accounts today, contact your Surface Security representative.
[SCREENSHOT PLACEHOLDER: An admin row in the Organization admins list showing the role badge, "active" status badge, and the "MFA" badge]
Worked example: onboarding a regional analyst
Your organization manages eight tenants, three of which belong to customers in one region. You are hiring an analyst who should triage alerts for only those three.
- As an Org Owner, open Admins & Access and click Invite admin.
- Enter the analyst's email and name, choose the Org Analyst role, and click Invite. Securely share the one-time temporary password.
- Click the new admin's name to open Per-tenant access. Check the three regional tenants. Because the admin's org role is Org Analyst, each grant defaults to the Analyst role — leave it as is.
- The card now reads "Scoped", and the analyst can see alerts and dashboards for exactly those three tenants and nothing else.
When the analyst later takes on a fourth customer, any Org Owner checks one more tenant in the matrix — no role change needed.
Troubleshooting
An admin says they can't see a tenant they used to see. Check their per-tenant access. If someone granted them a single tenant, that first grant switched them from the all-tenants default to a scoped set, revoking everything not explicitly checked. Check the missing tenants to restore access.
The Invite admin button isn't visible. Only Org Owners can invite, edit, or disable admins. Ask an Org Owner to make the change or to upgrade your role.
I disabled the wrong admin. Open the Edit org admin dialog for that admin and set their Status back to Active. They will need to sign in again since their sessions were revoked.
Why do I have to type my password again to disable an admin? Disabling an account and revoking its sessions is a sensitive action, so the console requires a fresh identity confirmation even inside an active session. SSO users are re-verified through their SSO session instead of a password.
Related pages
- MSSP overview — how the organization console relates to tenants
- Tenant management — creating and managing the tenants that appear in the access matrix
- Policy management — org policies and policy templates, both of which are Org Owner-only actions