Tresorit offers three admin roles with different permissions for managing users in Business or Enterprise subscriptions.
Admin roles
Owner: Has full control of the subscription, including billing, licenses, security features, and integrations.
Co-owner: Can delete users, remotely wipe devices, and reset passwords (when Advanced Control is enabled). Manages policies, reports, and branding, but can't handle billing or purchase licenses.
ℹ️ This role is available only with the Enterprise subscription.
Co-admin: Handles day-to-day user and policy management. Can invite, suspend, and delete users, but can't reset passwords or wipe devices.
| Owner | Co-owner | Co-admin | |
| Purchase licenses | ✅ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ |
| Transfer subscription ownership | ✅ | ❌ | ❌ |
| Invite users/revoke invitations | ✅ | 🔒(with available license) | 🔒(with available license) |
| Suspend/remove users | ✅ | ✅ | ✅ |
| Delete user accounts | ✅ | ✅ | 🔒(without folder transfer) |
| Folder takeover | 🔒(with Advanced Control) | 🔒(with Advanced Control) | ❌ |
| Reset passwords | 🔒(with Advanced Control) | 🔒(with Advanced Control) | ❌ |
| Remote wipe user devices | 🔒(with Advanced Control) | 🔒(with Advanced Control) | ❌ |
| Enable Advanced Control | ✅ | ❌ | ❌ |
| Add/revoke co-admin rights | ✅ | ✅ | ✅ |
| Add/revoke co-owner rights | ✅ | ✅ | ❌ |
| Manage policies | ✅ | ✅ | ✅ |
| Activity reports | ✅ | ✅ | ✅ |
| Custom branding | ✅ | ✅ | ✅ |
| Domain verification | ✅ | ❌ | ❌ |
| Enable Data Residency | ✅ | ❌ | ❌ |
| Active Directory | ✅ | ✅ | ❌ |
| Integrations (SSO, SIEM, SCIM) | ✅ | ❌ | ❌ |
| Sign Data Processing Agreement | ✅ (can be delegated) | ❌ | ❌ |