Users & roles
Tether has two categories of users: MSP staff who can see all tenants, and client users who are scoped to a single organisation. Roles control what each user can do within their scope.
User categories
| Category | is_msp_staff | tenant_id | Scope |
|---|---|---|---|
| MSP staff | true | null | Can access and manage all tenants. Sees the MSP dashboard and Clients page. |
| Client user | false | Set to a specific tenant ID | Scoped to one tenant only. Cannot see other tenants or the MSP dashboard. |
Built-in roles
| Role | MSP staff? | Default permissions summary |
|---|---|---|
msp_admin | Yes | Full control — all 17 permissions, including tenant management, billing, and user management across all tenants. |
msp_technician | Yes | Can manage assets, check-out/in, import/export, and manage categories, locations, and people across all tenants. Cannot manage billing, create tenants, or manage user accounts. |
client_admin | No | Full control within their own tenant, including user management and settings. Cannot see other tenants or MSP-level features. |
client_manager | No | Can manage assets (create, edit, check-out/in, import/export), manage categories, locations, and people. Cannot manage user accounts or tenant settings. |
client_viewer | No | Read-only access. Can view assets and export to CSV. Cannot create, edit, or delete anything. |
If a user needs slightly more or less access than their role provides, use per-user permission overrides instead of creating a new role. See Permissions reference.
Creating a user
MSP staff user
- Log in as an
msp_admin - Go to Users in the left sidebar
- Click New User
- Fill in name, email, and password
- Select a role — choose
msp_adminormsp_technician - Check the MSP Staff checkbox — this grants cross-tenant access
- Leave Tenant blank (MSP staff have no tenant restriction)
- Click Create User
An MSP staff user can read and modify data across every client tenant. Only grant this to people who genuinely need it. When in doubt, use client_admin for the specific tenant instead.
Client user
- Go to Clients and find the client you want to add a user to
- Click Users next to the client
- Click New User
- Fill in name, email, password, and role
- The tenant is pre-filled — do not change it
- Leave the MSP Staff checkbox unchecked
- Click Create User
Creating a user directly requires you to set their password on their behalf. Invite links let the user set their own password — better for security and removes the need to share passwords out of band. See Invite links.
Managing users
From the Users page (either MSP-level or client-level), you can:
- Edit — change name, email, role, or active status
- Reset password — enter a new password in the edit form and save
- Deactivate — uncheck Active. The user cannot log in but all their data and history is preserved. Useful for offboarding without losing records.
- Delete — permanently removes the user account. Their name remains in checkout history records, but the account itself is gone.
- Edit permissions — click the lock icon to open the permission override editor for that user
Client team self-management
Users with the client_admin role can manage their own team from the
Team page in their client portal. They can create, edit, and deactivate
users within their tenant. They cannot:
- Grant MSP staff access
- Create users in other tenants
- Assign roles above
client_admin - See or modify MSP-level users
Active vs inactive users
Inactive users cannot log in and do not consume any licence slots (Tether has no per-user limits). When a user leaves a client, deactivate rather than delete — this preserves their checkout history and makes it clear who had which assets.