Managing Team Roles & Permissions

BEST PRACTICESIMPLEMENTATIONOPENFRAMESECURITY

Phase 9 — Security & Access Control · Step 1

Section

June 24, 2026

Published

Vladislav Marchenko

Vladislav Marchenko

Head Of Marketing

Managing Team Roles & Permissions

Phase 9 — Security & Access Control · OpenFrame Onboarding

Who's on your team, and what can they do? This guide covers the people side of access control in OpenFrame — adding technicians, understanding the roles, and removing access when someone leaves. It pairs with AI Guardrails & Approval Policies (next), which controls what the AI can do on each person's behalf.


Before you start

  • You need an Admin or Owner role.
  • Find it under Settings → Employees & Permissions.

The roles

OpenFrame keeps roles deliberately simple:

  • Owner — the account creator. Full control over the workspace, including billing and the things only an owner should touch. There's one, and it's set when the workspace is created.
  • Admin — full operational access to run the platform: devices, scripts, monitoring, tickets, remote access, and settings. This is the role your technicians get.

When you invite someone, they come in as an Admin — that's the assignable role for team members. Owner stays with whoever created the workspace.


Add a technician

  1. Go to Settings → Employees & Permissions.
  2. Click Add Users (top right).
  3. In Add Employees, enter the person's email, leave the Role as Admin, and use Add More Users to invite several at once.
  4. Click Send Invites. They'll get an invitation email to register and set up their own login.

If you've connected an identity provider (Phase 8) with auto-provisioning on, people from your allowed domain can also be created automatically on first SSO sign-in — no manual invite needed.


Review who has access

The Employees & Permissions list shows every user with their Role and Status (Active / Deleted). Make this a habit — a quarterly look down the list catches the contractor who rolled off three months ago and still has Admin.

Click the arrow on any row to open that person's detail page (name, email, role, status).


Remove access

When someone leaves, kill their access promptly. Open the user's detail page → "…" menu → Delete. Their status flips to Deleted and they can no longer sign in.

Deprovisioning is the step teams forget. An old Admin account is exactly the kind of thing that turns into an incident — make removing access part of your offboarding checklist, not an afterthought.


Quick checklist

  • Opened Settings → Employees & Permissions
  • Understood Owner (creator) vs Admin (your team)
  • Added technicians via Add Users → Send Invites
  • Reviewed the list for stale or unexpected accounts
  • Removed access for anyone who has left ("…" → Delete)

What's next

People are sorted. Next, control what the AI is allowed to do for them: AI Guardrails & Approval Policies sets the approval rules behind Mingo.


Based on OpenFrame v0.9.19. Roles and the permission model evolve between releases — what's in your console wins.

Vladislav Marchenko

Head Of Marketing

Hi all! My name is Vlad and I’ve been brought on to head the marketing team at Flamingo. Thankfully, this isn’t the first time I will be building a marketing department from scratch, so the experience should come in handy. Now it’s time to dive into the world of MSPs and find myself in this new world.

Related Content

Product Releases

Webinars

Case Studies

Blog Posts

Frequently Asked Questions

MSP AI Agents

Yes. In production MSP shops today, 10% to 25% of tickets close before a human opens them. Thread alone has processed 173 million tickets across 750-plus MSP partners at 96% triage accuracy, handing back 490,000-plus technician hours. Agents own the low-risk, high-volume work (password resets, MFA enrollment, known installs, onboarding and offboarding) and flag anything that touches production data or needs judgment for a human to take.
On a five-person desk, reported deployments show $78,000 to $130,000 in annual direct labor savings, roughly 30% fewer escalations, and 15% to 20% better SLA compliance. Broader MSP adoption data adds ticket handling time cut by 45% and five to 12 points of margin, all from reclaimed capacity rather than headcount cuts.

AI MSP

Start with a readiness assessment, not a tool purchase. Confirm your ticket history is clean and your RMM, PSA, and monitoring systems connect. Then pick one high-volume, low-risk workflow, usually ticket triage, and pilot it on internal tickets before any client sees it.
Automate high-volume, low-risk tasks first. Ticket triage and alert noise reduction top the list because they run constantly and a human still resolves the underlying issue. Save security approvals, billing changes, and client-facing actions for later, always with a human in the loop.

AI Safety

It can be, with governance. Keep a human in the loop on high-risk actions, log every automated step for audit, and choose platforms that keep your data yours with no vendor lock-in. Pilot on internal data first so you catch issues before client systems are involved.

AI for MSPs

Set a baseline before rollout, then track tickets closed per technician, mean time to resolution, percentage of tickets resolved with no human touch, technician hours reclaimed, and cost per ticket. AI-driven automation commonly cuts operational cost per ticket by 25 to 40%.

About OpenFrame

OpenFrame isn't built to plug into your stack. It replaces it. Instead of duct-taping a dozen tools together (RMM, MDM, SIEM, patching, remote access, each its own login and bill), we bundle it into one unified platform: RMM, MDM, monitoring, automation, remote access, patch management, security monitoring, and ticketing, plus built-in AI copilots. So "does it integrate with X?" usually means: you won't need X anymore.

Password Manager

Yes. Passbolt's Community edition is free under the AGPLv3 license with unlimited users, but you self-host it yourself. Paid Pro and Cloud tiers, starting around $5.40 per user monthly with a 10-seat minimum, add LDAP, SSO, and audit logs.

Open Source SIEM

Yes, Wazuh is free and open source with no per-agent or ingestion fees at any scale. The license costs nothing, but self-managed deployments still pay for log storage, infrastructure, and the engineering labor to tune and maintain the platform.

Endpoint Security

Bitdefender GravityZone is a cloud-native endpoint protection platform that combines prevention, EDR, and XDR in one agent and console. For MSPs, it adds multi-tenant management, so one team can protect and monitor every client's endpoints from a single dashboard.