All features

MSP Granular Access Control

Control exactly what each person on your team can see and do — down to which clients they can access and what actions they can take.

Owner / Admin / MemberClient scopingFull audit logSOC 2 supportTeam invitationsData retention controls

WHY IT MATTERS

Access mistakes at an MSP have real consequences

A junior technician making a DNS change on the wrong client's zone, a contractor with access that persists past the end of an engagement, or an accidental deletion in a shared admin account — these happen when everyone uses the same login or when access is too broad by default.

Albaspot's access control model is built to match the way MSPs actually operate: different people need different levels of access, often scoped to specific clients. The audit log means you always know exactly who did what and when.

COMPLIANCE SUPPORT

SOC 2
Supports SOC 2 Type II controls

Granular access control, role-based permissions, and a full activity log satisfy multiple SOC 2 Common Criteria requirements for logical access management.

HIPAA
HIPAA-aware access design

Client isolation, scoped permissions, and a complete audit trail support HIPAA risk assessments for MSPs managing infrastructure for healthcare clients.

Cyber liability
Cyber insurance documentation

Many cyber liability policies require documented role-based access controls. The Albaspot audit log and role structure provide the evidence trail insurers ask for.

NIS2
NIS2 access governance

Third-party access management and audit logging are among the technical measures explicitly referenced in NIS2 guidance for managed service providers.

GDPR / Privacy
Configurable data retention

Set per-team retention windows so operational data is automatically purged after it is no longer needed — reducing your data footprint and supporting GDPR data minimisation obligations.

ROLE-BASED ACCESS

Three team roles with distinct access levels

Each role is designed for a specific type of team member — from full administrative control to scoped client access.

Owner
  • Full access to all features, clients, and resources
  • Manage billing, subscription, and plan changes
  • Invite and remove team members
  • Change roles for Admin and Member accounts
  • Only role that can delete the team account
Admin
  • Full operational access to all clients and resources
  • Create, edit, and delete domains, DNS records, websites
  • Manage DMARC policies for all clients
  • Invite and manage Members
  • Cannot access billing or delete the team
Member
  • Access scoped by the Owner or Admin
  • Can be restricted to specific clients only
  • Read-only or write access per resource type
  • Cannot manage team membership
  • Actions logged the same as other roles

AUDIT LOG

Full audit log of every action

Every create, update, and delete action in Albaspot is recorded in the activity log. The log captures who took the action, what resource was affected, when it happened, and the originating IP address.

This applies to all MSP team members — Owner, Admin, and Member — as well as any client users operating through the client portal. You always have a complete trail.

  • Actor name and role recorded on every entry
  • Resource type and specific record affected
  • Timestamp (UTC) for every action
  • IP address of the request origin
  • Filterable by client, resource type, or date range
Activity log
Sarah (Admin) Updated DMARC policy
client-co.com · 2m ago
James (Member) Added DNS TXT record
example.net · 14m ago
Client: Dev user Added CNAME record
staging.client.io · 1h ago
Sarah (Admin) Registered domain
newclient.com · 3h ago

TEAM MANAGEMENT

Team member invitations and management

Add team members by sending an email invitation. Invitations have an expiry time — if not accepted, they become inactive and can be resent. Once accepted, the new member's role and access can be updated at any time by an Owner or Admin.

Invite by email — invitation link sent automatically
Invitations expire and can be resent
Change role at any time without re-inviting
Remove access immediately by revoking membership

RELATED FEATURE

How this connects to the client portal

Your MSP team roles work alongside a separate client portal tier. Clients log in at app.albaspot.com and see only their own resources. They can invite their own developers or viewers without any access to your MSP team view or other clients.

Client Portal & Developer Access

DATA RETENTION

Configurable retention policies with automated cleanup

Albaspot lets you define how long operational data — such as DMARC aggregate reports and activity logs — is kept for your team. Once a retention window expires, the data is automatically purged. You stay in control of your data footprint without any manual housekeeping.

For security-conscious MSPs serving regulated industries, configurable retention is a concrete privacy control: it limits exposure, supports GDPR data minimisation requirements, and demonstrates to clients and auditors that you handle their data responsibly.

  • Per-team retention window — set the period that suits your compliance posture
  • Automated background cleanup — no manual purge steps required
  • Reduces your data footprint and limits breach exposure
  • Supports GDPR data minimisation and storage limitation principles
  • Demonstrable privacy control for client and auditor due-diligence reviews

Retention policy — your team settings

DMARC aggregate report retention 90 days
Activity log retention 365 days
Expired data auto-purge Enabled
GDPR
Storage limitation by design

GDPR Article 5(1)(e) requires personal data not be kept longer than necessary. Albaspot's automated retention and purge cycle makes this a system property, not a manual process.

See it in practice

Set up your MSP team, define access levels, and start managing clients — all in one place.