MSP Granular Access Control
Control exactly what each person on your team can see and do — down to which clients they can access and what actions they can take.
WHY IT MATTERS
Access mistakes at an MSP have real consequences
A junior technician making a DNS change on the wrong client's zone, a contractor with access that persists past the end of an engagement, or an accidental deletion in a shared admin account — these happen when everyone uses the same login or when access is too broad by default.
Albaspot's access control model is built to match the way MSPs actually operate: different people need different levels of access, often scoped to specific clients. The audit log means you always know exactly who did what and when.
COMPLIANCE SUPPORT
Granular access control, role-based permissions, and a full activity log satisfy multiple SOC 2 Common Criteria requirements for logical access management.
Client isolation, scoped permissions, and a complete audit trail support HIPAA risk assessments for MSPs managing infrastructure for healthcare clients.
Many cyber liability policies require documented role-based access controls. The Albaspot audit log and role structure provide the evidence trail insurers ask for.
Third-party access management and audit logging are among the technical measures explicitly referenced in NIS2 guidance for managed service providers.
ROLE-BASED ACCESS
Three team roles with distinct access levels
Each role is designed for a specific type of team member — from full administrative control to scoped client access.
- Full access to all features, clients, and resources
- Manage billing, subscription, and plan changes
- Invite and remove team members
- Change roles for Admin and Member accounts
- Only role that can delete the team account
- Full operational access to all clients and resources
- Create, edit, and delete domains, DNS records, websites
- Manage DMARC policies for all clients
- Invite and manage Members
- Cannot access billing or delete the team
- Access scoped by the Owner or Admin
- Can be restricted to specific clients only
- Read-only or write access per resource type
- Cannot manage team membership
- Actions logged the same as other roles
AUDIT LOG
Full audit log of every action
Every create, update, and delete action in Albaspot is recorded in the activity log. The log captures who took the action, what resource was affected, when it happened, and the originating IP address.
This applies to all MSP team members — Owner, Admin, and Member — as well as any client users operating through the client portal. You always have a complete trail.
- Actor name and role recorded on every entry
- Resource type and specific record affected
- Timestamp (UTC) for every action
- IP address of the request origin
- Filterable by client, resource type, or date range
TEAM MANAGEMENT
Team member invitations and management
Add team members by sending an email invitation. Invitations have an expiry time — if not accepted, they become inactive and can be resent. Once accepted, the new member's role and access can be updated at any time by an Owner or Admin.
RELATED FEATURE
How this connects to the client portal
Your MSP team roles work alongside a separate client portal tier. Clients log in at app.albaspot.com and see only their own resources. They can invite their own developers or viewers without any access to your MSP team view or other clients.
Client Portal & Developer AccessSee it in practice
Set up your MSP team, define access levels, and start managing clients — all in one place.