Roles and access control
Last updated Mar 31, 2026
Every person in your workspace has one of two roles: Owner or Member. Your role controls what you can see and change, from managing the team roster to running agents on cloud desktops.
The two-role model
MultiClaw uses a flat, two-role model. There are no custom roles or granular permission tiers. This keeps the access model easy to understand and reduces the chance of misconfiguration.
| Capability | Owner | Member |
|---|---|---|
| View and use agents | ✓ | ✓ |
| Create and manage tasks | ✓ | ✓ |
| Access cloud desktops | ✓ | ✓ |
| Use skills and guardrails | ✓ | ✓ |
| Use Quick Chat | ✓ | ✓ |
| View the audit trail | ✓ | ✓ |
| Approve agent plans | ✓ | ✓ |
| Invite members | ✓ | — |
| Remove members | ✓ | — |
| View the full member list | ✓ | — |
Owner
The Owner is the person who created the workspace. Each workspace has exactly one Owner. Beyond everything a Member can do, the Owner manages who has access: inviting new members, removing existing ones, and viewing the full member list.
Ownership cannot be transferred through the interface. If you need to change who owns the workspace, contact MultiClaw support.
Member
A Member is anyone the Owner invites into the workspace. Members have full access to the workspace's agents, tasks, cloud desktops, skills, guardrails, and Quick Chat. They can approve agent plans and view the audit trail.
Members cannot invite or remove other people. If a Member tries to access the Users page, they see a permission error.
How roles connect to governance features
Your role does not limit what you can do with agents and tasks. Both Owners and Members create tasks, review agent plans, and approve or reject execution. The approval flow is a governance control that applies equally to everyone in the workspace.
The audit trail is also visible to both roles. Every action taken in the workspace — task creation, plan approval, agent execution — is logged and visible to all members. The Owner does not have a separate or more detailed audit view.
The Owner's unique privileges are limited to managing the member list. Day-to-day work with agents, tasks, and cloud desktops is identical for both roles.
Manage members
Only the Owner can add or remove people. Open MultiClaw Cloud and go to your workspace's Users page (/{your-workspace}/users). From there you can:
- Invite a new member by entering their email address.
- Remove an existing member by selecting them from the list.
When you remove a member, they lose access to all workspace resources immediately. Their past actions remain in the audit trail.
No guest or anonymous access
Everyone who accesses your workspace needs a MultiClaw account. The Owner must invite each person as a Member before they can see any workspace resources. There is no guest role, temporary access, or public link that bypasses this requirement.
If someone outside your organization needs access, ask the Owner to invite them. That person will need a MultiClaw account to accept the invitation.
Security considerations
The two-role model is intentionally simple. A flat structure means there are no hidden permissions, no role inheritance chains, and no risk of accidentally granting elevated access through a misconfigured custom role.
Because only the Owner can change the member list, a compromised Member account cannot escalate its own access or invite unauthorized users. If you suspect unauthorized access, the Owner should remove the affected member from the Users page and ask them to reset their password.
If the Owner's account is compromised, contact MultiClaw support immediately. The Owner is the only person who can manage workspace membership.
Related articles
Security overview
MultiClaw protects your data through layered security, TLS encryption in transit, app sandboxing, and a no-telemetry policy.
Authentication and login security
How MultiClaw protects your sign-in with password hashing, Multiplai SSO, session tokens, and rate limiting.
Invite and manage team members
Add members to your workspace, assign roles, and control access permissions.