All Collections
Getting started with OnDMARC
OnDMARC Roles and Permissions
OnDMARC Roles and Permissions

Overview of the permissions model of OnDMARC, how to add and remove users and their roles and permissions.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago


OnDMARC allows you to add additional users to the tool either via Okta/SAML or via the invite feature, for more details please click on the button below.

User roles overview

OnDMARC provides access control via user roles. They are of two types:

  1. Roles with responsibilities across the entire organization, called Super Roles.

  2. Roles with responsibilities for part of the organization, called Group Roles.

For example, a group can contain certain domains and a group role can only see those domains. A user with a super role can see all the domains in the entire account.

Super roles

Apart from the account owner there are four other super roles that exist in OnDMARC. As mentioned earlier super roles have access to resources across the entire organisation. Their permissions span across groups and outside of groups as well, respective to the role that they have been assigned.

Owners have the same permission as super admins, but can add and remove other owners.

Super Admins have full control on the account except they are not able to delete the owner account.

Super Readers can see all the domains added to the account.

Finance users can see the Billing section of the tool

None is when a user has not been assigned any role yet (empty).

An example of a use case may be: As a CEO you signed up for OnDMARC, invite your CTO to the app and assign her the Super Admin role to be able to add and manage domains. Additionally you invite your CFO and assign him the Finance role with access to the billing section of the app.


Groups are used to logically group one or multiple domains, e.g. a group can contain all domains related to Department A, another group can contain all domains related to Department B. Therefore groups allow you to further segregate access to your domains and assign users to those groups. Two user roles exist within a group: Group Admin and Group Reader. Both user roles can only see the domains that have been added to the group that they are part of. Additionally, Group Admins are allowed to add and remove users from their group.

An example of a use case may be: You are part of a global organisation consisting of multiple sub-companies with different top-level domains and departments. It may be difficult as an Owner or a Super Admin to manage the domains for the entire organisation and you decide to delegate some of them to different users. You may decide to create groups for domains based on the TLD, company or department and assign a Group Admin for each group, who is then responsible for managing the domains in that group and for assigning additional users to the group.

A user of the tool can be part of multiple groups and users can be assigned multiple roles where the higher permission role takes precedence. For example, if a user is a Super Admin and also an Admin of a group, the Super Admin role takes precedence. 

Summary of user roles and permissions

User Roles

Access Rights


Super role: represents who has ownership of the account (can designate multiple people to be owner). Can also take any action in the account.

Super Admin

Super role: cannot modify owner user or add new owners. Can invite users with other roles including superadmin.

Super Reader

Super role: someone who should only have read access to the account but no write permissions (ie. cannot modify domains or invite other users to the account).


Can access the Billing, Analyser, API documentation, and Help.

Group Admin

Can assign additional Group Admins and Group Readers to the group. Cannot create or delete domains within a group.

Group Reader

Can read group data but cannot perform any write operation.


No access rights except for viewing the Analyser, API documentation and Help sections of the tool.

A high level overview of the roles is shown below.

Removing access

If you would like to delete a user from the account you can click on ‘Remove’ next to their email address.

API keys can also be removed by clicking on ‘Revoke access’ next to each key. The same can be done for API keys assigned to a group. 

Did this answer your question?