Team Management
Zenovay allows you to collaborate with team members by inviting them to your organization. This guide covers how to manage team members, assign roles, and control access to your analytics data.
Overview
Team management features include:
- Invite unlimited team members (on paid plans)
- Role-based access control (Owner, Admin, Member, Viewer)
- Website-level permissions for multi-site organizations
- Activity logging to track team actions
- SSO integration for enterprise teams (Scale and Enterprise plans)
The Free plan is limited to 2 team members. Upgrade to Pro or higher to add more team members.
Team Roles & Permissions
Zenovay has four role levels with different permissions:
Owner
Full control over the organization.
Permissions:
- ✅ Manage billing and subscription
- ✅ Add/remove team members
- ✅ Assign roles to members
- ✅ Delete organization
- ✅ Access all websites
- ✅ Modify all settings
- ✅ View all analytics data
- ✅ Manage API keys
Limits: 1 owner per organization (can be transferred)
Admin
Administrative access without billing control.
Permissions:
- ✅ Add/remove team members (except Owner)
- ✅ Assign Member and Viewer roles
- ✅ Access all websites
- ✅ Modify website settings
- ✅ View all analytics data
- ✅ Manage API keys
- ❌ Manage billing
- ❌ Delete organization
- ❌ Assign Admin role
Limits: Unlimited
Member
Can manage websites and view analytics.
Permissions:
- ✅ Add/edit websites
- ✅ View analytics for assigned websites
- ✅ Modify tracking settings
- ✅ Export data
- ✅ Create API keys (for assigned websites only)
- ❌ Add/remove team members
- ❌ Manage billing
- ❌ Delete websites
Limits: Unlimited
Viewer
Read-only access to analytics.
Permissions:
- ✅ View analytics for assigned websites
- ✅ Export data
- ❌ Modify any settings
- ❌ Add websites
- ❌ Manage team
- ❌ Create API keys
Limits: Unlimited
Inviting Team Members
Send an Invitation
- Go to Settings → Team
- Click Invite Member
- Enter the email address
- Select a role (Admin, Member, or Viewer)
- Choose which websites they can access (optional)
- Click Send Invitation
The invited person will receive an email with an invitation link.
Invitations expire after 7 days. If not accepted, you'll need to resend the invitation.
Bulk Invitations
To invite multiple team members at once:
- Click Invite Member → Bulk Invite
- Enter email addresses (one per line)
- Select the same role for all
- Click Send Invitations
Example format:
[email protected]
[email protected]
[email protected]
Invitation Status
Track invitation status in the Team page:
| Status | Meaning |
|---|---|
| Pending | Invitation sent, awaiting acceptance |
| Accepted | User has joined the team |
| Expired | Invitation not accepted within 7 days |
Resend Invitation: Click the ⟳ icon next to pending invitations.
Managing Team Members
View Team Members
Go to Settings → Team to see:
- All active team members
- Their roles and permissions
- Last activity timestamp
- Assigned websites
Change Member Role
- Find the team member in the list
- Click the role dropdown next to their name
- Select new role (Admin, Member, or Viewer)
- Confirm the change
Only Owners can assign the Admin role. Admins can only assign Member and Viewer roles.
Assign Websites
Control which websites a team member can access:
- Click on the team member's name
- Go to Website Access tab
- Select websites they should access
- Choose access level:
- Full Access: View and modify
- View Only: Read-only access
- Save changes
All Websites: Grant access to all current and future websites by selecting "All Websites".
Remove Team Member
- Find the team member
- Click the ⋮ menu button
- Select Remove from Team
- Confirm removal
Removed members immediately lose access to:
- Organization dashboard
- All analytics data
- API keys
- Team settings
Their account is not deleted - only removed from your organization.
Website-Level Permissions
For organizations with multiple websites, you can assign specific website access to team members.
Default Access
When inviting a member, you can set default access:
- All Websites: Access to all sites (recommended for Admins)
- Specific Websites: Choose which sites they can access
- No Websites: They must be granted access later (default for Viewers)
Per-Website Roles
Assign different permissions per website:
| Website | Access Level | Can View | Can Edit |
|---|---|---|---|
| example.com | Full Access | ✅ | ✅ |
| blog.example.com | View Only | ✅ | ❌ |
| test.example.com | No Access | ❌ | ❌ |
Activity Logging
Track team member actions in the Activity Log:
View Activity Log
- Go to Settings → Team → Activity
- Filter by:
- Team member
- Action type
- Date range
- Website
Logged Actions
The activity log tracks:
- Team member invited/removed
- Role changes
- Website access granted/revoked
- Settings modified
- Data exports
- API keys created/deleted
Example log entry:
Jan 12, 2025 10:30 AM
[email protected] changed [email protected] role from Member to Admin
Export Activity Log
Export activity logs for compliance or auditing:
- Go to Activity Log
- Set date range filter
- Click Export → CSV
Transfer Ownership
Transfer organization ownership to another team member:
Steps
- Go to Settings → Team
- Click on Transfer Ownership
- Select the new owner (must be existing team member)
- Confirm transfer with your password
- New owner must accept the transfer
After transfer, you become an Admin. Only the new Owner can manage billing and delete the organization.
When to Transfer
Common scenarios:
- Organizational changes (new manager)
- Original owner leaving company
- Consolidating multiple accounts
- Security best practices (dedicated admin account)
SSO Integration (Scale+)
Scale and Enterprise plans can enable Single Sign-On for centralized authentication.
Supported Providers
- SAML 2.0: Okta, OneLogin, Azure AD, Google Workspace
- OAuth 2.0: GitHub, GitLab
- OpenID Connect: Auth0, Keycloak
Enable SSO
- Go to Settings → Authentication → SSO
- Choose your identity provider
- Configure SSO settings:
- Entity ID
- SSO URL
- X.509 Certificate
- Test SSO connection
- Enable for organization
SSO Enforcement
Once enabled, you can enforce SSO:
- Optional: Team members can use SSO or email/password
- Required: All team members must use SSO
- Required (except Owners): SSO required for all except organization owners
Automatic Provisioning
With SCIM (System for Cross-domain Identity Management):
- Automatically create users when added to IdP group
- Remove access when removed from IdP group
- Sync user attributes (name, email, role)
Contact [email protected] to enable SCIM.
Best Practices
1. Use Principle of Least Privilege
Assign the minimum role necessary:
- Viewers for stakeholders who only need to see metrics
- Members for team members actively managing analytics
- Admins only for those who need to manage team or websites
- Owner for billing manager only
2. Regular Access Reviews
Quarterly review of team members:
- Remove members who left the organization
- Adjust roles for members with changed responsibilities
- Revoke website access that's no longer needed
3. Use Website-Level Permissions
For multi-site organizations:
- Grant access only to relevant websites
- Use "All Websites" sparingly (Admins only)
- Review access when launching new websites
4. Monitor Activity Log
Regularly check the activity log for:
- Unexpected role changes
- Unusual data export activity
- Unauthorized access attempts
- Configuration changes
5. Enable Two-Factor Authentication
Require 2FA for all team members:
- Go to Settings → Security
- Enable Require 2FA for organization
- All members will be prompted to set up 2FA on next login
Collaboration Features
Shared Dashboards
Create shared dashboards for team collaboration:
- Create a custom dashboard
- Click Share → With Team
- Select team members or roles
- Set permissions (View/Edit)
Comments & Annotations
Add notes to specific data points:
- Click on any chart data point
- Click Add Comment
- Type your note
- Tag team members with
@mention
Tagged members receive email notifications.
Scheduled Reports
Send automated reports to team members:
- Go to Reports → Scheduled
- Click New Report
- Configure:
- Report type (Weekly, Monthly, Custom)
- Recipients (team members or external emails)
- Data included
- Delivery schedule
- Save and enable
API Access for Teams
Organization API Keys
Create API keys at the organization level:
- Read Access: View all websites (for integrations)
- Write Access: Track events (for servers)
- Admin Access: Full API access (use sparingly)
Member API Keys
Members can create their own API keys:
- Scoped to websites they have access to
- Cannot exceed their role permissions
- Visible to Admins and Owner
Revoking API Keys
Admins and Owners can revoke any API key:
- Go to Settings → API Keys
- Find the key
- Click Revoke
Member's personal API keys are automatically revoked when they leave the team.
Troubleshooting
Can't Invite Member
Possible causes:
- Subscription limit reached (check plan limits)
- Invalid email address
- Member already in organization
- Email domain blacklisted (some free email providers)
Solution: Verify plan allows more members, check email format, or contact support.
Invited Member Can't Accept
Common issues:
- Invitation email in spam folder
- Invitation expired (> 7 days)
- Email mismatch (invited email differs from sign-up email)
Solution: Resend invitation, check spam, ensure correct email.
Member Can't Access Website
Check:
- Member's role (Viewers can't access all features)
- Website-specific permissions
- Account status (suspended, deactivated)
Fix: Adjust website access in member settings.
Plan Limits
Team member limits by plan:
| Plan | Team Members | SSO | Activity Log Retention |
|---|---|---|---|
| Free | 2 | ❌ | N/A |
| Pro | 5 | ❌ | 30 days |
| Scale | 25 | ✅ | 90 days |
| Enterprise | Unlimited | ✅ | Unlimited |
Getting Help
For team management assistance:
- Email: [email protected]
- Enterprise Support: [email protected]
- Documentation: Check our other guides