Summary
Users in IT Agent can be granted access at two levels—per organization (org-level) or across the entire tenant (tenant-level). Roles determine what a user can do, and seats determine how many active users can access the tenant under the current subscription.
Org-level users
Org-level users have access to a specific organization only.
You can assign different roles to the same user in different organizations.
Common use cases
Give a technician access to only one customer/company org.
Give a billing contact access to one org’s computers and reports.
Tenant-level users
Tenant-level users have access across all organizations in the tenant.
They show up in every organization’s user list as “tenant-wide” users.
Common use cases
MSP admins who manage multiple orgs.
Company-wide IT leadership who needs access everywhere.
Owner users
There is always a tenant creator (the “Owner”), identified as the person who originally created the tenant.
In addition, a user can have the RBAC “Owner” role which grants the highest level of permissions, including tenant user management.
Seats (licensing)
Seats control how many active users can consume access under the tenant subscription.
How seats are assigned
When you add a user (org-level or tenant-level), the platform attempts to allocate a seat for that user.
If the tenant has no seats remaining, seat assignment will fail and the tenant will be at/over capacity.
FAQ
If I add a tenant-level user, do they automatically appear in all orgs?
Yes—tenant-level access applies across the tenant, and the user appears in each org’s user list as a tenant-wide user.
If I remove a tenant-level user, does it delete the user?
No—removing tenant-wide access removes the tenant ACL entry, but the underlying user record remains (so org-level access/history is preserved).
Can the Owner be removed?
The platform prevents deleting the tenant user entry if the user has the “Owner” role, to avoid tenant lockout.