Roles and Permissions

Access control over your analytics data should live on your infrastructure, not in a third-party identity cloud you don’t control. HitKeep’s role-based access control (RBAC) is enforced entirely on your instance, with granular roles at both the instance level and per site.

Instance Roles

Instance roles apply across the entire HitKeep installation.

Role	Permissions
`owner`	Full access: users, all sites, system settings, system status, maintenance actions, and instance audit export
`admin`	Can view all sites, use system status, run maintenance actions, view instance audit logs, and manage IP exclusion rules through the dedicated exclusion controls. Admins cannot perform owner-only settings actions, export instance audit logs, change retention, or use other broad site data mutation endpoints unless they also hold a site role that grants those actions.
`user`	Access only to explicitly assigned sites

Change a user’s instance role (instance owner only) via:

Update an instance role

Deleting a user is blocked if that user is the last owner of any team. Transfer team ownership first, then retry the instance-level delete. This prevents orphaned teams that no one can manage anymore.

Administration Pages

The administration sidebar separates operational status from instance configuration:

System Status shows runtime health, storage, ingestion volume, LRU cache status, backups, spam filter state, mail delivery status, maintenance actions, and instance audit logs.
System Settings keeps the configuration workflows for users, sites, teams, and global filters.

These entries are shown in the sidebar only for users with the matching instance role. See System Status and Settings for the full operator reference.

Site Roles

Site roles are scoped per user, per site. A user can be a viewer on one site and an owner on another.

Role	What they can do
`owner`	Full site access — data, goals, funnels, team, retention settings, and site-level IP exclusions
`admin`	Manage data controls, site-level IP exclusions, goals, funnels, and team members
`editor`	Create and edit goals and funnels
`viewer`	Read-only access to dashboard and analytics

Site-level IP exclusions are managed by site owner and admin roles through the normal site data-control permission. Instance admin users have a separate, narrow override for exclusion rules only, so they can remove operational noise without inheriting retention or ingestion mutation rights.

Saved Opportunity Recommendations follow the same split:

users with site.view can read saved Opportunities for the site
users with site.manage_data can generate or regenerate Opportunities, save them, dismiss them, or mark them done
instance owners and admins configure the optional AI provider at the runtime level, not from a site page

Site Permission REST API Reference

An invitation email is sent to the address. The user accepts via a link. No admin approval flow is required on your end.

Service Accounts and API Access

For CI pipelines, integrations, or automated dashboards, use API Clients instead of sharing user credentials. API client tokens are bearer tokens that can be revoked individually without affecting any other user or session.

API clients also govern MCP access and AI fetch ingest. MCP tokens need site.view for read-only aggregate analytics. AI fetch forwarders need site.manage_data for the site they write crawler records into.

MCP clients can read saved Opportunities when their API client token can view the site. They cannot generate Opportunities or mutate status through MCP.

HitKeep Cloud adds managed user provisioning with tenant-aware isolation and a hosted login flow, while keeping your analytics portable. Start with HitKeep Cloud →