Team roles, MFA, and access control

HexSign supports three role tiers per organization, multi-factor authentication for every user, and per-user authentication audit logs. SSO via SAML and OIDC is available on higher plans.

What each role can do

Owner

Full access. Manages billing, invites and removes users, and is the only role that can deactivate other Owners. There must always be at least one Owner.

Admin

Manages all Apple Developer entities — certificates, profiles, bundle IDs, devices, CSRs — and connected Apple accounts. Cannot manage billing or remove Owners.

Member

Read-only access to the dashboard, plus the ability to download profiles and trigger syncs. Cannot create, regenerate, or revoke entities.

Invite a teammate

1. 1

   Open Team → Invite

   From Settings → Team, click Invite. Enter the teammate's email and pick a role.

2. 2

   They accept and set up MFA

   The invitee receives a Cognito invite, sets a password, and is required to enrol an MFA method on first sign-in.

3. 3

   Roles can be changed later

   Roles are editable from the user's row on the Team page. Changes take effect on the user's next request.

Deactivate vs. remove

Deactivating a user blocks their sign-in but keeps every action they took in the audit log attached to their identity. Use deactivate when someone leaves the team — it's the option that preserves accountability.