Skip to content
Helpdesk / Getting started

Roles and permissions

Published May 23, 2026

Kommit ships with three first-class roles. Every user in an organization has exactly one of them. Roles can be changed by an Owner from the Members page.

The three roles

Owner

  • Can do everything a Member can do, plus:
  • Invite and remove members.
  • Change any member's role.
  • Configure billing, custom domain (Enterprise plan), and SSO.
  • Configure policies in the Policy library — see [#policy-library].
  • Delete the organization.

There must always be at least one Owner per organization. Kommit refuses to demote the last Owner.

Member

  • Default role for new invitees (we changed this in 2026 — see [#inviting-teammates] for the safety reasoning).
  • Can view and act on every surface inside the organization: agents, policies, audit logs, evidence packs, the live /access matrix.
  • Cannot invite teammates, cannot change roles, cannot delete the organization.

Members are the right role for everyone who works in the product day-to-day, including most compliance and engineering staff.

Viewer

  • Read-only access to every surface.
  • Cannot run actions that change state — cannot create / edit policies, cannot approve workflows, cannot export evidence packs on their own.
  • Useful for auditors, exec sponsors, or stakeholders who need to see what's happening without the ability to alter it.

Platform admin

Separate from per-organization roles, Kommit has a platform admin role on the global user record. Platform admins are Kommit staff and can access the /admin surface to handle support, moderation, and incident response. Customers do not get platform admin access.

When a platform admin acts on your tenant, the action is recorded as an impersonation_action event with the admin's identity, the reason, and the duration of the impersonation session. You can review these events in your audit log.

What roles cannot do

Kommit's roles are not a substitute for downstream system permissions. Granting a Member role does not give that user any access to the systems Kommit governs — just to the Kommit surface itself. Per-system permissions are managed in the live /access matrix; see [#access-control-matrix].