Skip to main content
OneSignal allows you to manage user access either at the Organization level (all apps) or at the App level (specific apps). Each user can be assigned a role based on their needs and responsibilities. For example:
  • An analyst who needs to review messaging performance across apps could be an Organization Viewer.
  • A developer or marketer working on one app can be assigned as an App Admin.
  • A content writer who builds messages but should not send them could be an Organization Composer.
  • A finance team member who only needs billing access could be an Organization Finance role.
  • A contractor who only needs access to a single app can start as an Organization Team Member with an app-level role layered on.
For details on how Apps and Organizations work together, see Apps, Organizations, and Accounts.

Managing team access

You can grant access at either the Organization level (all apps) or App level (specific apps).

Invite a team member to an Organization

Organization Admins can invite users and assign them roles that apply to all apps in the Organization.
1

Navigate to your Organization

Go to Organizations > [Your Organization] > Team Members.
2

Invite a team member

Click Invite to Organization.
3

Assign a role

Choose a role: Admin, Finance, Operations, Editor, Composer, Viewer, or Team Member.
The invited user receives an email to accept the invitation. Once accepted, they appear in the Team Members list with the assigned role.
OneSignal dashboard showing the organization Team Members page with invite button and role assignment

Invite a team member to an App

App-level roles let you grant additional permissions on a specific App beyond what the user’s Organization role provides.
App-level roles can only add permissions on top of the user’s Organization role — they cannot restrict or reduce access. For example, an Organization Viewer can be elevated to an App Editor on a specific App, but an Organization Editor cannot be downgraded to an App Viewer. See valid app-level role assignments for the full mapping.
1

Navigate to your App

Go to your App’s Settings > Team Members.
2

Invite a team member

Click Invite to App.
3

Assign a role

Choose a role for that app: Admin, Operations, Editor, Composer, or Viewer.

Valid App-level role assignments

When you assign an App-level role, it must be equal to or more permissive than the user’s Organization role. Both the client and server enforce these rules.
Org RoleValid App Roles
adminNone (already has full access)
editoradmin only
composereditor, admin
viewercomposer, editor, admin
team_memberviewer, composer, editor, admin

Update or remove user access

1

Navigate to Team Members

Go to the Team Members page for the Organization or App.
2

Open the options menu

Click the Options menu (⋮) next to the user’s email address.
3

Update or remove

Select Update Role or Remove.
OneSignal dashboard showing the options menu for a team member with Update Role and Remove actions

Roles and permissions

Organization roles take priority over App roles. If a user is an Organization Admin, they automatically have all App Admin privileges across every App in the Organization. No additional App-level role assignment is needed.

Role types

OneSignal offers the following roles at the Organization level:
RoleBest forAccess summary
AdminDevelopers, OwnersFull control over all org settings, billing, and messaging. Automatically includes all App Admin privileges across every app in the org
FinanceFinance teamsView org settings, apps, members, and billing. Edit billing. No app-level permissions
OperationsOps teamsView access across all apps plus manage suppressions and sender identities
EditorMarketers, PMsFull messaging workflow: create segments, build and send messages, manage webhooks and imports. Cannot modify underlying user or subscription records, or change app settings
ComposerContent writers, DesignersCreate and edit messages, templates, segments, and journeys. Cannot send, activate, or delete most content. No export access
ViewerAnalysts, Read-only usersView-only access across all apps. Cannot edit, send, or export
Team MemberMinimal access usersCan view the org and its apps list. No app-level permissions on its own. Access is layered on through app-level role assignments
The following roles are available at the App level:
RoleBest forAccess summary
AdminApp owners, Lead developersFull control over the app including settings, keys, integrations, and team management
OperationsOps teamsView access across app features plus manage suppressions and sender identities
EditorMarketers, PMsCreate, edit, send, and delete messages and related content. Manage webhooks and imports. Cannot change app settings
ComposerContent writersCreate and edit messages, templates, and segments. Cannot send or activate. No export access
ViewerRead-only usersView-only access to app data. Cannot edit, send, or export
Editor scope: Editors control what to send and to whom. They can view audience data, build segments from it, and run the full messaging workflow, but they cannot modify the underlying user or subscription records (tags, imports, deletions, subscription status).

About the Team Member role

The team_member role is an org-level role that grants no app permissions on its own. Access is layered on explicitly through app-level role assignments, making it a clean least-privilege starting point. team_member is automatically assigned in two situations:
  • When a new user is invited to an App for the first time and has no existing Organization role
  • When a user logs in through SSO for the first time and their identity provider has not yet been mapped to a specific OneSignal role

Permission details by role

Select a role below to see its full permissions.
Scope: Organization and AppFull control over everything. Organization Admins automatically have all App Admin privileges across every app in the org. Admin is the only role that can manage app and org settings, API keys, team members, integrations, billing, SSO, and 2FA enforcement.
AreaPermissions
MessagingCreate, edit, send, cancel, delete, and export all message types. Send test notifications
JourneysCreate, edit, activate, delete, and export journeys and goals
SegmentsFull control including setting defaults and deleting users from segments
Templates and dynamic contentCreate, edit, and delete templates, dynamic content, and saved rows
In-app messagesCreate, edit, activate, and delete
Users and subscriptionsView, edit, delete, import, and export. Full test user management
Webhooks and event streamsCreate, edit, activate, test, and delete
Custom events and outcomesView analytics, set retention, set tracking, and export
LabelsCreate, edit, and delete
SuppressionsCreate, delete, and export
IntegrationsActivate and edit
App settingsEdit settings, manage API keys, manage team members, view and export audit logs, toggle app status, delete app
Org settingsEdit settings, create and manage apps, manage members, manage billing, manage API keys, manage SSO, enforce 2FA, view and export audit logs
Account2FA, email, and password (own account)
Org Settings access is limited to users with the Organization Admin role. App-level-only Admins do not have permission to modify organization-level settings such as billing, plan upgrades, SSO, or org-wide 2FA.

Role availability by plan

RoleFree PlanGrowth PlanProfessional PlanEnterprise
Admin
Editor
Composer
Viewer
Team Member
Finance
Operations
View full pricing and plan features.

Best practices

  • Assign the minimum role needed. Don’t give full Admin access if Composer or Viewer is enough.
  • Use Organization roles for users who need access across many Apps, like analysts or leadership.
  • Use the Team Member role with App-level assignments for users who only need access to specific Apps.
  • Limit API key access to trusted technical users with Admin roles.
  • Free plans only support Admins. Upgrade to add additional roles.

FAQ

Can I restrict a user to only one app?

Yes. Assign the user the team_member org role (which grants no app access on its own), then add an app-level role on the specific app. This gives them access to only that app.

What happens if I remove someone from the organization?

Removing a user from the organization revokes all their access — both org-level and app-level — across every app in that organization. They would need to be re-invited to regain access.

Can I give someone billing access without app access?

Yes. The Finance role (Enterprise only) grants access to view and edit billing without any app-level permissions. See the Finance permissions tab for details.

Why can’t I assign a Viewer role at the app level?

App-level roles must be more permissive than the user’s org role. If the user is already an org-level Viewer, an app-level Viewer would not add any permissions. You can assign Composer, Editor, or Admin at the app level instead. See Valid app-level role assignments.

Which roles are available on my plan?

Free plans support Admin only. Growth adds Viewer. Professional adds Editor and Composer. Enterprise adds Team Member, Finance, and Operations. See the role availability table.

Apps, organizations, and accounts

Understand the relationship between accounts, apps, and organizations.

Two-factor authentication

Enable 2FA for your account or require it for your organization.

SSO

Configure single sign-on for your organization.

Billing FAQ

Manage plans, billing, and subscriptions across organizations.