Managing Member Permissions
This guide walks you through inviting people into your organization, giving each one the right standing, and tuning exactly which plants and portfolios they can reach. You manage all of it from one place — the Team tab — and you never need to touch individual rights one by one.
Two layers decide what a member can do. Their organization role sets a default standing across everything your organization owns, and an optional job role on a single plant or portfolio raises or lowers that default for one resource. For the full model behind these layers, see the Permission System. This guide stays on the tasks.
Open in Mirox
Manage your team from Organization ▸ Team — the link opens your organization on the Team tab directly. (Inviting and changing roles require a Moderator role or higher — see the peer-aware rule below.)
Inviting a Member
When you invite someone, they receive an email, register an account, and join your organization with the role you chose. The whole flow is self-service for them — see First Steps for the new-member side, and Invitations for the three invitation types.
- On the Team tab, select Invite.
- Enter the person's email address.
- Choose their organization role (see the table below).
- Pick the language the invitation email is sent in.
- Select Send Invitation.
The new entry appears in the team list marked Invited until they accept. You can filter to just pending invites with the list dropdown (Internal / External / Invited / All), and re-send an invitation from a member's actions menu if it expires.
Choosing the Organization Role
The role you pick is the member's default standing across the organization. Each role also maps to a default job role on every plant your organization owns.
| Organization Role | What it gives | Default per-plant authority |
|---|---|---|
| Admin | Manages everything — members, cooperations, billing, all resources. | Operator (full management) |
| Moderator | Manages members and resources, just short of full org control. | Operator (full management) |
| Asset Manager (Technical) | Technical asset manager: full plant management, destructive technical actions, complete ticket handling. | Technical Manager |
| Asset Manager (Commercial) | Commercial asset manager: manages plants and commercial data, but no destructive technical actions and tickets read/create only. | Asset Manager |
| Member | Standard read access to the organization's resources. | Viewer (read-only) |
| External | No default access; reaches resources only through explicit grants. | None — assign per resource |
Inviting an External
External members get no access until you grant it. After you send an External invitation, Mirox immediately opens the permission dialog so you can grant them a job role on the specific plants or portfolios they need. You also give an External a short label (for example "Maintenance Contractor") to identify them in the team list.
The Peer-Aware Assignment Rule
You can only assign roles at or below your own level, and the two Asset Manager roles cannot assign each other.
- Admins and Moderators can grant any role, including either Asset Manager role.
- An Asset Manager (Technical) can invite Members, Externals, and other Asset Managers (Technical) — but not Asset Managers (Commercial).
- An Asset Manager (Commercial) can invite Members, Externals, and other Asset Managers (Commercial) — but not Asset Managers (Technical).
This keeps the technical and commercial tracks cleanly separated: neither manager can hand authority to the other's track.
Granting a Job Role on a Specific Plant or Portfolio
A member's organization role already gives them a sensible default everywhere. Grant a per-resource job role only when you want to raise or lower that default for one plant or portfolio — for example, giving an External read access to a single park, or letting a Member act as Technical Manager on one plant. A direct grant always overrides the inherited default.
- On the Team tab, open the member's actions menu (the ⋮ button on their row) and select Edit Permissions.
- Choose the resource type — Portfolio or Park.
- Select the specific portfolio or park from the list.
- Choose the job role to grant:
- Viewer — read-only access to the resource's data and metrics.
- Technical Manager — technical authority, including component and event handling and full ticket administration.
- Asset Manager — commercial authority; manages the resource but no destructive technical actions, and tickets read/create only.
- Optionally set an expiration date for the grant (it never expires by default).
- Select Add Permission.
The grant takes effect immediately and is listed under Current Permissions, where you can renew its expiration or remove it later.
Granting on a Portfolio vs a Park
A grant on a portfolio applies to every park inside it; a grant on a single park refines access for that park only. Assign at the highest level that fits, and refine at the park level only for genuine exceptions. See Resources & Hierarchy for how the hierarchy flows.
Capped for Shared Resources
For a plant shared with you through a cooperation, you can only delegate up to the role the owning organization shared — typically Viewer plus the single shared role. You cannot grant a member more authority on a shared plant than your organization received.
Pausing a Member or Setting an Expiry
You can temporarily suspend a member without removing them, set their whole membership to expire on a date, or change their organization role — all from one dialog.
- On the Team tab, open the member's actions menu and select Edit Role.
- Adjust any of the following, then Update:
- Role — change their organization role (subject to the peer-aware rule above).
- Membership active — turn this off to pause the member. A paused member keeps their seat and grants but is blocked from all access until you switch it back on. Paused members show a Paused badge in the list.
- Membership expiration — set a date on which their access ends automatically. Useful for fixed-term contractors and externals.
Expiry at Two Levels
Membership expiration (in Edit Role) ends the member's whole organization standing. A per-resource grant can carry its own expiration (in Edit Permissions) that ends access to just that plant or portfolio. Use whichever scope matches the engagement.
Removing Access
- On the Team tab, open the member's actions menu and select Remove Member.
- Confirm in the dialog.
Removal takes the member out of the organization and revokes their access. This cannot be undone — if you only need to suspend someone temporarily, use Membership active instead. Every assignment and removal remains traceable; see the Audit Log.
Verifying What a Member Can Reach
Before relying on a configuration, confirm it. Open a member's row to review their current organization role, any per-resource grants, and any expirations in one place. When in doubt, grant the narrowest role that does the job and widen later — least privilege keeps access easy to reason about.
Related Guides
- Permission System — the full role model behind organization and job roles
- Invitations — the three invitation types and how people join
- Creating Cooperations — share specific plants with a partner organization
- Resources & Hierarchy — how access flows down organizations, portfolios, and parks
- Audit Log — who accessed which plant devices and when
- First Steps — the end-to-end path a new member follows to reach first data