OneSignal allows you to manage user access either at the Organization level (all apps) or at the App level (specific apps). Each user can be assigned a role based on their needs and responsibilities.
For example:
- An analyst who needs to review messaging performance across apps could be an Organization Viewer.
- A developer or marketer working on one app can be assigned as an App Admin.
- A content writer who builds messages but should not send them could be an Organization Composer.
- A finance team member who only needs billing access could be an Organization Finance role.
- A contractor who only needs access to a single app can start as an Organization Team Member with an app-level role layered on.
Managing team access
You can grant access at either the Organization level (all apps) or App level (specific apps).
Invite a team member to an Organization
Organization Admins can invite users and assign them roles that apply to all apps in the Organization.
Navigate to your Organization
Go to Organizations > [Your Organization] > Team Members.
Invite a team member
Click Invite to Organization.
Assign a role
Choose a role: Admin, Finance, Operations, Editor, Composer, Viewer, or Team Member.
The invited user receives an email to accept the invitation. Once accepted, they appear in the Team Members list with the assigned role.
Invite a team member to an App
App-level roles let you grant additional permissions on a specific App beyond what the user’s Organization role provides.
App-level roles can only add permissions on top of the user’s Organization role — they cannot restrict or reduce access. For example, an Organization Viewer can be elevated to an App Editor on a specific App, but an Organization Editor cannot be downgraded to an App Viewer. See valid app-level role assignments for the full mapping. Navigate to your App
Go to your App’s Settings > Team Members.
Invite a team member
Click Invite to App.
Assign a role
Choose a role for that app: Admin, Operations, Editor, Composer, or Viewer.
Valid App-level role assignments
When you assign an App-level role, it must be equal to or more permissive than the user’s Organization role. Both the client and server enforce these rules.
| Org Role | Valid App Roles |
|---|
admin | None (already has full access) |
editor | admin only |
composer | editor, admin |
viewer | composer, editor, admin |
team_member | viewer, composer, editor, admin |
Update or remove user access
Navigate to Team Members
Go to the Team Members page for the Organization or App.
Open the options menu
Click the Options menu (⋮) next to the user’s email address.
Update or remove
Select Update Role or Remove.
Roles and permissions
Organization roles take priority over App roles. If a user is an Organization Admin, they automatically have all App Admin privileges across every App in the Organization. No additional App-level role assignment is needed.
Role types
OneSignal offers the following roles at the Organization level:
| Role | Best for | Access summary |
|---|
| Admin | Developers, Owners | Full control over all org settings, billing, and messaging. Automatically includes all App Admin privileges across every app in the org |
| Finance | Finance teams | View org settings, apps, members, and billing. Edit billing. No app-level permissions |
| Operations | Ops teams | View access across all apps plus manage suppressions and sender identities |
| Editor | Marketers, PMs | Full messaging workflow: create segments, build and send messages, manage webhooks and imports. Cannot modify underlying user or subscription records, or change app settings |
| Composer | Content writers, Designers | Create and edit messages, templates, segments, and journeys. Cannot send, activate, or delete most content. No export access |
| Viewer | Analysts, Read-only users | View-only access across all apps. Cannot edit, send, or export |
| Team Member | Minimal access users | Can view the org and its apps list. No app-level permissions on its own. Access is layered on through app-level role assignments |
| Role | Best for | Access summary |
|---|
| Admin | App owners, Lead developers | Full control over the app including settings, keys, integrations, and team management |
| Operations | Ops teams | View access across app features plus manage suppressions and sender identities |
| Editor | Marketers, PMs | Create, edit, send, and delete messages and related content. Manage webhooks and imports. Cannot change app settings |
| Composer | Content writers | Create and edit messages, templates, and segments. Cannot send or activate. No export access |
| Viewer | Read-only users | View-only access to app data. Cannot edit, send, or export |
Editor scope: Editors control what to send and to whom. They can view audience data, build segments from it, and run the full messaging workflow, but they cannot modify the underlying user or subscription records (tags, imports, deletions, subscription status).
About the Team Member role
The team_member role is an org-level role that grants no app permissions on its own. Access is layered on explicitly through app-level role assignments, making it a clean least-privilege starting point.
team_member is automatically assigned in two situations:
- When a new user is invited to an App for the first time and has no existing Organization role
- When a user logs in through SSO for the first time and their identity provider has not yet been mapped to a specific OneSignal role
Permission details by role
Select a role below to see its full permissions.
Admin
Editor
Composer
Viewer
Team Member
Operations
Finance
Scope: Organization and AppFull control over everything. Organization Admins automatically have all App Admin privileges across every app in the org. Admin is the only role that can manage app and org settings, API keys, team members, integrations, billing, SSO, and 2FA enforcement.| Area | Permissions |
|---|
| Messaging | Create, edit, send, cancel, delete, and export all message types. Send test notifications |
| Journeys | Create, edit, activate, delete, and export journeys and goals |
| Segments | Full control including setting defaults and deleting users from segments |
| Templates and dynamic content | Create, edit, and delete templates, dynamic content, and saved rows |
| In-app messages | Create, edit, activate, and delete |
| Users and subscriptions | View, edit, delete, import, and export. Full test user management |
| Webhooks and event streams | Create, edit, activate, test, and delete |
| Custom events and outcomes | View analytics, set retention, set tracking, and export |
| Labels | Create, edit, and delete |
| Suppressions | Create, delete, and export |
| Integrations | Activate and edit |
| App settings | Edit settings, manage API keys, manage team members, view and export audit logs, toggle app status, delete app |
| Org settings | Edit settings, create and manage apps, manage members, manage billing, manage API keys, manage SSO, enforce 2FA, view and export audit logs |
| Account | 2FA, email, and password (own account) |
Org Settings access is limited to users with the Organization Admin role. App-level-only Admins do not have permission to modify organization-level settings such as billing, plan upgrades, SSO, or org-wide 2FA.
Scope: Organization and AppEditors can create, edit, send, and delete messages and most content. They can manage webhooks and handle imports. They cannot change app or org settings, manage team members, or access API keys.| Area | Permissions |
|---|
| Messaging | Create, edit, send, cancel, delete, and export all message types. Send test notifications |
| Journeys | Create, edit, activate, and delete |
| Segments | Create, edit, activate, set default, and delete |
| Templates and dynamic content | Create, edit, and delete |
| In-app messages | Create, edit, activate, and delete |
| Users and subscriptions | View, import users and subscriptions, add and remove test users |
| Webhooks and event streams | Create, edit, activate, test, and delete |
| Custom events and outcomes | View analytics and export |
| Labels | Create, edit, and delete |
| Suppressions | View only |
| Integrations | View only |
| App settings | View app and analytics, export analytics, view VAPID keys |
| Org settings | View org and apps |
| Account | 2FA, email, and password (own account) |
Scope: Organization and AppComposers can create and edit messages, templates, segments, and journeys, but they cannot send, activate, or delete most content. They have no export access.| Area | Permissions |
|---|
| Messaging | Create and edit messages. Send test notifications |
| Journeys | Create and edit |
| Segments | Create and edit |
| Templates and dynamic content | Create and edit |
| In-app messages | Create and edit |
| Users and subscriptions | View. Add test users |
| Webhooks and event streams | View only |
| Custom events and outcomes | View analytics |
| Labels | Create and edit |
| Suppressions | No access |
| Integrations | View only |
| App settings | View app and analytics |
| Org settings | View org and apps |
| Account | 2FA, email, and password (own account) |
Composer can edit dynamic content only when it is not tied to live published messages or active journeys.
Scope: Organization and AppView-only access. Viewers can see messages, analytics, segments, templates, and most app data, but cannot create, edit, send, or export anything.| Area | Permissions |
|---|
| Messaging | View messages and analytics |
| Journeys | View journeys and analytics |
| Segments | View segments and analytics |
| Templates and dynamic content | View only |
| In-app messages | View messages and analytics |
| Users and subscriptions | View only |
| Webhooks and event streams | View webhooks and results |
| Custom events and outcomes | View analytics |
| Labels | View only |
| Suppressions | View only |
| Integrations | View only |
| App settings | View app and analytics |
| Org settings | View org and apps |
| Account | 2FA, email, and password (own account) |
Scope: Organization onlyThe team_member role grants no app permissions on its own. It provides minimal org-level visibility while app access is layered on through app-level role assignments.| Area | Permissions |
|---|
| Org settings | View org and apps list |
| Account | 2FA, email, and password (own account) |
| Everything else | No access until an app-level role is assigned |
team_member is automatically assigned in two situations:
- When a new user is invited to an App for the first time and has no existing Organization role
- When a user logs in through SSO for the first time and their identity provider has not yet been mapped to a specific OneSignal role
Scope: Organization and AppOperations has view access across all features plus write access to suppressions and sender identities. This role is designed for operational tasks like managing suppression lists without granting broader messaging or settings permissions.| Area | Permissions |
|---|
| Messaging | View messages and analytics |
| Journeys | View journeys and analytics |
| Segments | View segments and analytics |
| Templates and dynamic content | View only |
| In-app messages | View messages and analytics |
| Users and subscriptions | View only |
| Webhooks and event streams | View webhooks and results |
| Custom events and outcomes | View analytics |
| Labels | View only |
| Suppressions | Create, delete, and export |
| Sender identities | Create and edit |
| Integrations | View only |
| App settings | View app, analytics, and team members |
| Org settings | View org, apps, and members |
| Account | 2FA, email, and password (own account) |
Scope: Organization onlyFinance is an org-level role focused on billing access. It does not include any app-level permissions.| Area | Permissions |
|---|
| Org settings | View org, view apps, view members, view audit logs |
| Billing | View and edit billing |
| Account | 2FA, email, and password (own account) |
| Everything else | No access |
Role availability by plan
Role availability differs between Organization-level and App-level roles. Team Member and Finance are Organization-only roles. All other roles have both an Organization and App equivalent.
Organization roles
| Role | Free Plan | Growth Plan | Professional Plan | Enterprise |
|---|
| Admin | ✅ | ✅ | ✅ | ✅ |
| Team Member | ✅ | ✅ | ✅ | ✅ |
| Viewer | ❌ | ✅ | ✅ | ✅ |
| Editor | ❌ | ❌ | ✅ | ✅ |
| Composer | ❌ | ❌ | ✅ | ✅ |
| Finance | ❌ | ❌ | ❌ | ✅ |
| Operations | ❌ | ❌ | ❌ | ✅ |
App-level roles
| Role | Free Plan | Growth Plan | Professional Plan | Enterprise |
|---|
| Admin | ✅ | ✅ | ✅ | ✅ |
| Viewer | ❌ | ✅ | ✅ | ✅ |
| Editor | ❌ | ❌ | ✅ | ✅ |
| Composer | ❌ | ❌ | ✅ | ✅ |
| Operations | ❌ | ❌ | ❌ | ✅ |
Best practices
- Assign the minimum role needed. Don’t give full Admin access if Composer or Viewer is enough.
- Use Organization roles for users who need access across many Apps, like analysts or leadership.
- Use the Team Member role with App-level assignments for users who only need access to specific Apps.
- Limit API key access to trusted technical users with Admin roles.
- Upgrade your plan to unlock additional roles beyond Admin and Team Member.
