How to Use Admin Roles

Administrator Roles: Account Administrator vs. Group Administrator Overview

MedixSafe accounts have three user roles:

User — day-to-day access to safes they are allowed to use; no administrative tools in the web dashboard.
Account Administrator — full administrative control over the entire account.
Group Administrator — administrative control limited to the Groups they belong to.

If your organization uses Groups to organize safes, stations, or regions, Group Administrators let you delegate management locally without giving someone account-wide access. Account Administrators remain responsible for account-wide setup and policy.

Both administrator roles sign in to the same web dashboard. When administrator multi-factor authentication (MFA) is enabled for your account, it applies to Global and Group Administrators alike.

What Are Groups?

A Group is a collection of users and safes (devices) used to organize who can manage what. Examples:

A fire station and its apparatus safes
A hospital wing and its medication safes
A regional depot and its fleet units

A Group Administrator must be a member of the Group they are expected to manage. Membership defines their scope: they can work with safes and Group settings tied to Groups they belong to—not the whole account.

A person can belong to more than one Group. In that case, their Group Administrator permissions apply across all Groups they are in.

Account Administrator

Best for: IT leads, medical directors, compliance officers, or anyone who needs full control of the MedixSafe account.

A Account Administrator is responsible for overall account management. In practice, they can:

Create, edit, and delete Groups
Add and remove safes from the account and assign them to Groups
Change account settings (organization-wide options and integrations)
Manage schedules, credentials, and webhooks
Create, edit, and delete users at any role level
Perform all tasks a Group Administrator can perform, for any Group and any safe on the account

Account Administrators are not restricted by Group membership when choosing a safe—for example, when starting narcotics or asset enrollment, they may select any online safe on the account (subject to normal online/status checks).

Group Administrator

Best for: station chiefs, shift supervisors, site leads, or department managers who should manage their users and safes without changing organization-wide settings.

A Group Administrator can handle many day-to-day administrative tasks, but only within their Groups. They can typically:

View Groups, safes, and users they have access to through Group membership
Create and update standard users (and other Group Administrators, where appropriate)
Import users in bulk
Clear a user’s PIN or fingerprint enrollment when credentials need to be reset
Update safe settings for safes in their Groups (configuration, sync, firmware upgrade, emergency OTP, and similar operations)
Add or remove users from a Group they belong to
Manage tracked assets / narcotics for their Groups—including creating inventory records and running enrollment on safes in those Groups

Important limits for Group Administrators

Keep these constraints in mind—they are intentional safeguards:

Topic	What Group Administrators cannot do
Account-wide settings	Change organization account settings, credentials, schedules, or webhooks
Groups structure	Create or delete Groups; change Group description, logo, notification emails, or which safes belong to a Group
Safes	Register new safes on the account or remove safes entirely
Account Administrators	Create, edit, demote, or otherwise manage users who are Account Administrators
User deletion	Permanently delete user accounts (Account Administrator only)
Scope	Act on safes outside their Groups—for example, enrollment, firmware, sync, or OTP on another station’s safe
Own role	Change their own role (no user can change their own role)

If a Group Administrator is not assigned to any Group, they will not see Groups or safes to manage until a Account Administrator adds them to the correct Group(s).

Side-by-Side Summary

Capability	Account Administrator	Group Administrator
Manage all Groups and safes on the account	Yes	Only their Groups
Account settings, webhooks, schedules, credentials	Yes	No
Create / delete Groups	Yes	No
Add / remove safes from the account	Yes	No
Add / remove users from a Group	Yes	Yes (their Groups only)
Create and edit standard users	Yes	Yes
Delete users	Yes	No
Manage Account Administrator accounts	Yes	No
Update safe settings, sync, firmware, OTP	Yes (any safe)	Yes (their Groups only)
Asset / narcotics enrollment	Yes (any eligible safe)	Yes (safes in their Groups only)
View enrollment / inventory for their area	Yes	Yes (scoped)

Choosing the Right Role

Use a Account Administrator when someone must:

Stand up a new account or restructure Groups across the organization
Connect integrations (webhooks, authenticators, credentials)
Delete users or change who has Account Administrator access
Enroll narcotics or manage safes regardless of location

Use a Group Administrator when someone must:

Run daily operations for one site or region—users, PINs, fingerprints, safe updates
Enroll narcotics or assets only for safes they oversee
Add/remove staff from their Group without touching other sites

Principle of least privilege: Prefer Group Administrator for site-level leads; reserve Account Administrator for a small number of trusted account owners.

Setting Up a Group Administrator

A Account Administrator should:

Create or identify the Group (station, unit, site, etc.).
Assign the safe(s) to that Group.
Create the user (or edit an existing user) and set their role to Group Administrator.
Add that user to the Group as a member.

Steps 3 and 4 both matter. The role grants administrative tools; Group membership defines where those tools apply. A user with the Group Administrator role who is not in any Group will not be able to manage safes or enrollment until they are added to the right Group(s).

To grant access to multiple sites, add the same person to each relevant Group (or use a Account Administrator if account-wide access is truly required).

Enrollment and “Which Safe Can I Pick?”

For flows such as narcotics enrollment, the web app asks you to choose a safe to program tags.

A Account Administrator may select any online safe on the account.
A Group Administrator may select only safes that belong to a Group they are a member of, and the safe must be online.

If a Group Administrator does not see an expected safe in the list, confirm:

The safe is online
The safe is assigned to a Group the administrator belongs to
The administrator’s user record is actually a member of that Group

Two-Person Access and Administrators

Some safes are configured for two-person access (a second authorized person must be present). Depending on safe settings, the second person may need to be a Group Administrator or Account Administrator. Both administrator types can satisfy that requirement when the safe is configured to allow “an administrator.”

Common Questions

Can one person be both roles?
Each user has one role. Use Account Administrator only when account-wide access is needed; otherwise use Group Administrator plus Group membership.

Can a Group Administrator promote someone to Account Administrator?
No. Only a Account Administrator can create or change Account Administrator accounts.

Why can a Group Administrator see users outside their Group?
They may have access to the user directory for the account, but they cannot change or remove Account Administrators, and they cannot delete users. Operational focus should still stay on users and safes in their Groups.

Why does a Group Administrator get an error updating a safe?
The safe is likely not in one of their Groups. A Account Administrator can confirm Group assignment for that safe.

Why can’t a Group Administrator change Group notification emails or add a new safe to a Group?
Those changes affect account structure and routing. They require a Account Administrator.