Roles & permissions¶
TL;DR - Three roles: admin, operate (read-write), and view (read-only). Admin and operate behave the same in v1 - pick the right label for the right person, and the difference will matter as we add admin-only capabilities.
The three roles¶
| Role | Can read | Can execute payments | Can manage team | Can be disabled |
|---|---|---|---|---|
| Admin | Everything | Yes | Yes | No |
| Operate (read-write) | Everything | Yes | Yes | Yes |
| View (read-only) | Everything | No | No | Yes |
In v1 admin and operate share the same effective permissions. The label is preserved so new admin-only capabilities (e.g. impersonation, fintech-wide config changes) can land later without re-labeling existing users.
Pick carefully - roles are immutable in v1
There is no "change role" action yet. If you need to switch someone's role, disable their account and re-invite them with the role you want.
Who creates the first admin?¶
The first operator account at every fintech is admin, and it is created by Magma during fintech onboarding. From there, that admin can invite the rest of the team via Invite operators.
What "View" can and cannot do¶
Read-only operators see the same screens as everyone else, but every action that would create, modify, or send something is disabled:
- View customers, recipients, virtual accounts, transactions, audit logs.
- Edit their own profile (password, 2FA, phone).
- Initiate any payout.
- Create or edit customers, recipients, fees.
- Invite or modify other operators.
TOTP and payouts¶
Every operator that runs payments has a TOTP authenticator app enrolled at first login. The same code is used for both login second factor and payout confirmation - there is no separate OTP delivery channel. See Your first login for the enrollment walkthrough.
What's next¶
- Invite operators - add the rest of your team and pick the right role for each person.
- Manage your team - change roles, disable accounts, resend invites.