Overview
Petra provides flexible role-based access control to help you manage who can access what in your organization. You can assign different roles to members and configure granular permissions to control their access to tenants and actions.Member Roles
Petra supports four member roles:Admin
Admins have full access to all features and data in your organization. They can:- View all tenants, including sensitive tenants
- Manage all members and their permissions
- Onboard and remove tenants
- Access all incidents and security data
- Perform all remediation actions
- Access billing and usage information
Full Member
Full Members have broad access to your organization’s tenants and data, but can be restricted by permissions. By default, full members can:- View all non-sensitive tenants
- Manage tenants (if permitted)
- Access incidents and security data
- Perform remediation actions (unless read-only)
- Access billing and usage information
External Guest
External Guests are co-managed clients who have access only to the specific tenants you assign to them. They have no visibility into your organization itself—they cannot access organization-level pages such as the Marketing tab, Partner Portal, or tenant onboarding. External Guests are useful for:- Giving clients direct visibility into their own tenant’s security data
- Providing co-managed clients a scoped portal experience without any exposure to your organization or other clients
Billing
Billing users have read-only access to billing and usage information. They cannot:- View tenants or incidents
- Access security data
- Perform any actions in the portal
Permissions
In addition to roles, you can configure granular permissions for Full Members:Can Manage Tenants
Allows the member to onboard, update, and manage tenants. This permission is:- Default for Full Members:
true(for backwards compatibility) - Not applicable to Admins or Billing: Admins always have this ability; Billing users never do
Can View Sensitive Tenants
Grants access to tenants marked as sensitive (typically your MSP’s own tenant). This permission:- Default:
false - Allows Full Members to see tenants that are normally hidden from them
- Admins always have access to sensitive tenants
Is Read Only
Restricts the member to viewing content only, with no ability to perform actions. Read-only members cannot:- Perform remediation actions
- Update tenant settings
- Manage other members
- Export data (in some cases)
- Default:
false - Can be combined with other permissions
- Admins cannot be set to read-only
Configuring Roles and Permissions
You can configure roles and permissions when:- Inviting a new member: Go to Settings → Access, click Invite, and select the role and permissions
- Updating an existing member: Go to Settings → Access, find the member, and click Edit to update their role and permissions
Permission Defaults
For backwards compatibility, some permissions have defaults for existing members:- Can Manage Tenants: Defaults to
truefor Full Members (they could always manage tenants before) - Can View Sensitive Tenants: Defaults to
false(new permission) - Is Read Only: Defaults to
false(existing members are not read-only unless explicitly set)
Best Practices
- Use the Billing role for users who only need access to billing information
- Use External Guests for co-managed clients who need a scoped view of their own tenant
- Use Can View Sensitive Tenants sparingly—only grant this to trusted team members
- Set Is Read Only for members who should observe but not take action
Examples
Example 1: Client Access
Scenario: You want to give a co-managed client access to their tenant only, with read-only access.- Role: External Guest
- Tenants: Assign only their tenant
- Is Read Only:
true
Example 2: Technical Team Member
Scenario: A technical team member needs to manage tenants but should not see sensitive tenants.- Role: Full Member
- Can Manage Tenants:
true - Can View Sensitive Tenants:
false - Is Read Only:
false
Example 3: Billing Manager
Scenario: Your billing manager needs access to usage and billing information only.- Role: Billing
- No permissions needed (role defines access)
Example 4: Senior Analyst
Scenario: A senior analyst needs full access except they should not manage tenants.- Role: Full Member
- Can Manage Tenants:
false - Can View Sensitive Tenants:
true - Is Read Only:
false