# Team and roles

**Summary:** Manage who has access to Unless and what each role can do. Includes Team Assistant access for support agents.

**In short:** Manage who has access to Unless and what each role can do. Includes specific access for support agents who only need the Team Assistant.

**Last updated:** 2026-05-27

## Key concepts

### Roles
- **Admin.** Full platform access including billing.

- **Editor.** Can configure Train, Test, Deploy, and read Analyze.

- **Reviewer.** Read-only access to Conversations, Analyze, and Trust.

- **Team Assistant only.** Cannot use the dashboard. Can only authenticate the Team Assistant browser extension to use inside their helpdesk.


### Users
People with access to your Unless workspace. Each has a role and optionally specific workspace scope.

### Authentication
Email and password, MFA, and SSO (SAML) for enterprise plans.

### Workspace scope
A user can have access to one workspace, several, or all. Useful when one team manages multiple Unless workspaces.

## What you can do here

- Add or remove users
- Assign roles
- Switch on MFA or SSO
- Audit who has access to what
- Set workspace scope per user

## When to use it

- During onboarding, to set up your initial team
- When a team member joins or leaves
- When adding support agents who only need the Team Assistant
- When granting a DPO or auditor read access (use the Reviewer role)
- During the annual security review

## How it works

Roles map to permissions. Permissions map to dashboard sections and actions. The user sees only what their role allows. Audit logs track who accessed what, available in [Accountability](/en/help/trust/accountability/).

## Frequently asked questions

**How do I add a support agent who only needs the Team Assistant?**
Open **Account and billing > Team and roles > Add user**. Pick the **Team Assistant only** role. The user can authenticate the browser extension but cannot see the dashboard.

**How do I give my DPO read access?**
Assign the Reviewer role. It gives read-only access to Conversations, Analyze, and Trust. Document the role in your privacy policy.

**How do I enable SSO?**
Open the SSO settings, pick your identity provider, and follow the SAML configuration steps. Available on enterprise plans.

**How do I require MFA for everyone?**
Open the security policy and switch on **Require MFA**. Existing users get prompted on next sign-in.

**How do I remove a user who left the company?**
Open the user's profile and click **Remove**. They lose access immediately. Their action history stays in the audit log.

**How many users can I add?**
Flex includes 10 team seats. Fixed includes 50. For higher counts, talk to your account manager. See Subscription and invoices for the rest of the plan limits.