Roles in MaintIQ are deliberately simple — three of them — and Facility-level scoping is layered on top. This article is the canonical reference for who can do what, plus a few patterns that scale to multi-site operations.
The three roles at a glance
| Capability | Technician | Admin | Super Admin |
|---|---|---|---|
| Complete tasks | Yes | Yes | Yes |
| Open / update work orders | Yes | Yes | Yes |
| Read published SOPs | Yes | Yes | Yes |
| Edit / publish SOPs | No | Yes | Yes |
| Open Insights | Self only | Whole team | Whole company |
| Open Admin panel | No | Yes | Yes |
| Manage users & roles | No | Yes | Yes |
| Manage Facilities | No | Yes | Yes |
| Edit historical entries | Within 24 h on own work | Within 24 h on team work | Anytime |
| Manage billing | No | No | Yes |
| Transfer ownership | No | No | Yes |
Facility-level access scoping
Independent of role, every user can be limited to a subset of Facilities. An Admin scoped to two Facilities can do all the Admin things — but only on those two. A Technician scoped to one Facility never sees the Facility switcher.
Set scope from Admin → People → Edit access. By default a new user has access to every Facility.
Common patterns
Single-site team
- One Super Admin (the account owner).
- One or two Admins (the maintenance manager and a backup).
- Everyone else is Technician.
No Facility scoping needed because there is only one Facility.
Multi-site, central ops
- One Super Admin at HQ.
- One Admin per site, scoped to that site.
- Technicians scoped to their home site.
- A small "Ops Excellence" group of Admins scoped to all sites for comparative reporting.
Contractors and vendors
- Add as Technicians, scoped to a single Facility.
- Use the Pending invite state to delay activation until day one on site.
- Deactivate (don't delete) on contract end so their history remains attributable.
Changing a role safely
- Promotion (Tech → Admin) takes effect immediately.
- Demotion (Admin → Tech) preserves all the user's historical work but removes their ability to publish SOPs or run Insights. Any open SOP draft they own becomes read-only.
- Always verify that you have at least two Admins per Facility before demoting the last one.
Auditing access changes
Every role change is logged in Admin → Audit log with the actor, the target user, the old role, the new role, and the timestamp. Export this log monthly if you operate under a regulator that requires access audits.
Tips
- Keep the Admin count small. Most field staff genuinely need Technician.
- Quarterly access reviews catch stale accounts before they become an incident.
- Use Facility scoping rather than additional roles. The simpler the role matrix, the easier the audits.
FAQ
Can a user be Technician at one Facility and Admin at another? Not today. Use scoping and a clear Admin pair per Facility instead.
What happens when a tech leaves the company? Deactivate from Admin → People. Their entries remain attributable, but they can no longer sign in or be assigned new work.
Can I create a custom role? Custom roles are on the roadmap. Today the three built-in roles plus Facility scoping cover almost every real-world case.