MSP Granular Access Control
Control exactly what each person on your team can see and do — down to which clients they can access and what actions they can take.
WHY IT MATTERS
Access mistakes at an MSP have real consequences
A junior technician making a DNS change on the wrong client's zone, a contractor with access that persists past the end of an engagement, or an accidental deletion in a shared admin account — these happen when everyone uses the same login or when access is too broad by default.
Albaspot's access control model is built to match the way MSPs actually operate: different people need different levels of access, often scoped to specific clients. The audit log means you always know exactly who did what and when.
COMPLIANCE SUPPORT
Granular access control, role-based permissions, and a full activity log satisfy multiple SOC 2 Common Criteria requirements for logical access management.
Client isolation, scoped permissions, and a complete audit trail support HIPAA risk assessments for MSPs managing infrastructure for healthcare clients.
Many cyber liability policies require documented role-based access controls. The Albaspot audit log and role structure provide the evidence trail insurers ask for.
Third-party access management and audit logging are among the technical measures explicitly referenced in NIS2 guidance for managed service providers.
Set per-team retention windows so operational data is automatically purged after it is no longer needed — reducing your data footprint and supporting GDPR data minimisation obligations.
ROLE-BASED ACCESS
Three team roles with distinct access levels
Each role is designed for a specific type of team member — from full administrative control to scoped client access.
- Full access to all features, clients, and resources
- Manage billing, subscription, and plan changes
- Invite and remove team members
- Change roles for Admin and Member accounts
- Only role that can delete the team account
- Full operational access to all clients and resources
- Create, edit, and delete domains, DNS records, websites
- Manage DMARC policies for all clients
- Invite and manage Members
- Cannot access billing or delete the team
- Access scoped by the Owner or Admin
- Can be restricted to specific clients only
- Read-only or write access per resource type
- Cannot manage team membership
- Actions logged the same as other roles
AUDIT LOG
Full audit log of every action
Every create, update, and delete action in Albaspot is recorded in the activity log. The log captures who took the action, what resource was affected, when it happened, and the originating IP address.
This applies to all MSP team members — Owner, Admin, and Member — as well as any client users operating through the client portal. You always have a complete trail.
- Actor name and role recorded on every entry
- Resource type and specific record affected
- Timestamp (UTC) for every action
- IP address of the request origin
- Filterable by client, resource type, or date range
TEAM MANAGEMENT
Team member invitations and management
Add team members by sending an email invitation. Invitations have an expiry time — if not accepted, they become inactive and can be resent. Once accepted, the new member's role and access can be updated at any time by an Owner or Admin.
RELATED FEATURE
How this connects to the client portal
Your MSP team roles work alongside a separate client portal tier. Clients log in at app.albaspot.com and see only their own resources. They can invite their own developers or viewers without any access to your MSP team view or other clients.
Client Portal & Developer AccessDATA RETENTION
Configurable retention policies with automated cleanup
Albaspot lets you define how long operational data — such as DMARC aggregate reports and activity logs — is kept for your team. Once a retention window expires, the data is automatically purged. You stay in control of your data footprint without any manual housekeeping.
For security-conscious MSPs serving regulated industries, configurable retention is a concrete privacy control: it limits exposure, supports GDPR data minimisation requirements, and demonstrates to clients and auditors that you handle their data responsibly.
- Per-team retention window — set the period that suits your compliance posture
- Automated background cleanup — no manual purge steps required
- Reduces your data footprint and limits breach exposure
- Supports GDPR data minimisation and storage limitation principles
- Demonstrable privacy control for client and auditor due-diligence reviews
Retention policy — your team settings
GDPR Article 5(1)(e) requires personal data not be kept longer than necessary. Albaspot's automated retention and purge cycle makes this a system property, not a manual process.
See it in practice
Set up your MSP team, define access levels, and start managing clients — all in one place.