Team and roles
Invite users, RBAC matrix (admin/director/csm/viewer), SSO/SAML, and book assignment.
This page covers how to get your team operating inside LealUp with the right permissions.
The 4 roles
LealUp has 4 application roles. Each role has a set of per-feature permissions (see the matrix below).
| Role | For whom | Can do |
|---|---|---|
| admin | Whoever configures and maintains the platform | Everything. Create/edit/delete customers, playbooks, health model, fields, integrations, users. |
| director | Head of CS, CSO, CS Ops | View the whole book, edit health and playbooks, see aggregate dashboards, export. Doesn't edit customers directly (that's what CSMs are for). |
| csm | Customer Success Managers | View and edit customers in their book, run playbooks, log activity, see their personal dashboard. |
| viewer | External stakeholders, audit, sales | Read-only on anything they have access to. Doesn't edit anything. |
Permissions matrix (full)
Permissions are defined by feature × action. The features LealUp controls:
customer_360, health_scoring, segments, playbooks,
notifications, renewals, dashboard, data_export,
team_management, analytics, custom_fieldsActions: view, create, update, delete, config, execute, personalize, export.
Summary by role
| Feature | Admin | Director | CSM | Viewer |
|---|---|---|---|---|
| Customer 360 | full | view | view+edit (book) | view |
| Health scoring | full | view+config | view | view |
| Segments | full | view+config | view | view |
| Playbooks | full | view+config+execute | view+execute | view |
| Renewals | full | view+config | view | view |
| Dashboard | full | full | view+personalize | view |
| Data export | full | export | export (own) | — |
| Team management | full | view | — | — |
| Analytics | full | view+config | — | view |
| Custom fields | full | view | view+update | view |
The detailed matrix lives in code (backend/app/core/permissions.py). If you need a custom role, it's not configurable via UI right now — contact support for Scale/Enterprise plans.
Invite users
Admin → Team → Invite
- Enter email and role.
- Optionally assign initial book (which customers this CSM will see/edit).
- Click Send invitation — an email arrives with a unique link to your workspace subdomain.
Invitees accept, complete their profile (name, timezone, language), and become active.
Bulk invite
If you're inviting 10+ people:
- Admin → Team → Import CSV with columns
email,role,territory_id(optional). - Each row is processed as an individual invite.
- Errors (invalid email, unrecognized role) are reported at the end.
Book assignment
Each customer has one primary owner (a single CSM) and optionally co-owners.
Ways to assign:
1. Manual assignment
On the customer record → ••• menu → Change owner → select CSM.
2. Rule-based assignment
Admin → Team → Assignment rules
E.g., "All customers with segment Enterprise LATAM and ARR > $50k → owner = Maria".
Rules are evaluated when the customer is created or when an involved field changes.
3. Round-robin
Equitable automatic distribution among CSMs in a territory. Configurable by segment.
Rebalance
If a CSM leaves the company or changes roles, Admin → Team → Rebalance lets you reassign their book in bulk to other CSMs (by rules or manually).
SSO / SAML
Admin → Security → SSO
LealUp supports OIDC and SAML 2.0 with:
- Google Workspace — automatic OIDC with domain verification.
- Microsoft Entra ID (Azure AD) — SAML 2.0.
- Okta — OIDC or SAML.
- Auth0 — OIDC.
- Custom IdP — generic OIDC (requires issuer URL + client credentials).
Enable SSO
- Admin → Security → SSO → Configure → pick provider.
- Enter IdP metadata (issuer URL, cert, ACS URL).
- Test with your own user.
- Force SSO — once tested, toggle "Force login via SSO". From then on, users can't log in by password.
JIT provisioning
When a new user logs in via SSO with an email from your domain, they're auto-created with role viewer (configurable by IdP group).
Group mapping
If your IdP sends group claims, you can map:
- Group
[email protected]→ roledirector. - Group
[email protected]→ rolecsm. - Group
[email protected]→ roleviewer.
Group changes in the IdP take effect on next login.
Mandatory MFA
Admin → Security → MFA
- Optional (default) — each user decides whether to enable.
- Mandatory for admins — forced only for the admin role.
- Mandatory for everyone — forced for all users.
Supported methods: TOTP (Google Authenticator, Authy, 1Password), security keys (WebAuthn), SMS (not recommended).
Audit log
Admin → Audit log
All sensitive actions are recorded:
- Login / logout / failed login.
- Role changes.
- Invitations and removals.
- Health model changes.
- Exports.
- Customer deletions.
Queryable by user, date, action. Exportable to CSV/JSON.
Remove users
Admin → Team → [user] → Deactivate
- The user loses access immediately.
- Their book stays in limbo until you reassign it (LealUp warns you at deactivation).
- Emails/notes they left stay visible, attributed to them.
- You can reactivate at any time.
Permanent delete is different — requires double confirmation and wipes the profile. Emails stay attributed to "Deleted user". Only available for GDPR compliance.
Best practices
- 1 primary admin + 1 backup. Don't leave a single admin — if they leave, someone needs to be able to take over.
- Review the audit log weekly for the first 2 months post-deploy.
- Rename SSO groups with clear prefixes (
lealup-) so they're obvious to maintain. - Rotate credentials every 180 days if you use OIDC with a client secret.