Setting up and managing team user permissions in Mailscale

If you’re running a team on a SaaS platform, you already know that getting user permissions right is a pain. It’s either too strict (nobody can do anything) or too loose (everyone can nuke the account). If you’re using Mailscale for your company’s email infrastructure, you’ve got a few knobs to turn—but it’s easy to get lost in the options.

This guide is for team leads, admins, or anyone tasked with setting up who can do what inside Mailscale. No hype, no fluff—just what you need to keep things running, and avoid the classic “wait, why can’t I see that?” headaches.

Why Permissions Matter (and How They Bite You)

Before you start clicking around, let’s get real about why permissions aren’t just some checkbox exercise:

  • Security: The more people with admin rights, the more ways things can go sideways (accidentally or otherwise).
  • Accountability: When everyone’s an admin, nobody’s responsible.
  • Productivity: Too-restrictive access means your team nags you for every little thing.

Bottom line: set it up right once, and you won’t have to clean up a permissions mess later.

Step 1: Understand Mailscale’s Permission Model

Mailscale keeps things relatively straightforward, but you need to know the basics:

  • Roles: There are a few built-in roles—Admin, Manager, User (sometimes called Member), and occasionally Custom roles if your plan supports it.
  • Role = Permissions: Each role has a fixed set of things it can and can’t do. You can’t tweak the built-in roles, but you can assign them smartly.
  • Per-Resource Permissions: For bigger teams, you might set access at the mailbox, domain, or group level. For most folks, roles are enough.

Pro Tip: If you’re on a lower-tier plan, you may only see Admin and User. Don’t overthink it—simplicity is your friend.

Step 2: Decide Who Needs What

Don’t just copy your org chart. Think about actual needs:

  • Admins: Should be a short list. These folks can add/remove users, change billing, and see everything.
  • Managers: Can usually manage mailboxes and groups, but not billing or account settings.
  • Users/Members: Day-to-day access. Can send/receive email, but can’t touch settings.
  • Custom roles: If you have them, use sparingly. The more roles you have, the more you’ll forget who’s supposed to do what.

What works: Fewer people with high-level access = fewer mistakes.

What to ignore: The urge to give everyone admin “just in case.” It always backfires.

Step 3: Add Users to Your Team

Let’s get practical. Here’s how you add new users:

  1. Go to Team Settings:
  2. Log in as an Admin.
  3. Click your profile or settings icon, then select “Team” or “Users.”
  4. Invite New User:
  5. Click “Invite User” or “Add Team Member.”
  6. Enter their email address.
  7. Choose their role (Admin, Manager, User).
  8. Send Invite:
  9. User gets an email. They accept, set a password, and join your team.

Gotchas: - Invite links usually expire after a day or two. Resend if they miss it. - Double-check the email address. Typos mean you’ll be waiting forever.

Pro Tip: If you’re onboarding a bunch of people, set aside 10 minutes and do it in one go. Batch the pain.

Step 4: Assign and Review Roles

Once your team is in, it’s time to double-check who can do what.

  1. Review the List: In “Team” or “Users,” you’ll see everyone and their roles.
  2. Change Roles: Click a user’s name and pick a different role if needed.
  3. You’ll need to confirm—Mailscale doesn’t want you to switch admins accidentally.
  4. Remove Users: If someone leaves the company (or just doesn’t need access), remove them. Don’t leave zombie accounts hanging around.

Honest Take: - Don’t wait for a quarterly review to clean this up. If someone changes jobs, update their access now. - Don’t let “temporary” admins linger. They have a way of becoming permanent, and that’s rarely good.

Step 5: Use Groups or Teams (If You Need To)

If your organization is larger or split into teams (sales, support, etc.), Mailscale may let you create groups:

  • Groups let you assign permissions to a whole set of users at once.
  • You can manage mailbox access, group settings, and sometimes even domain-level permissions this way.

When to use: Only if you have clear, ongoing divisions (like different departments). Otherwise, it’s just another layer to manage.

When to ignore: Small teams. Just stick to roles.

Step 6: Audit Regularly

Permissions are not “set it and forget it.” Every quarter—or when people change roles—do a quick audit:

  1. List all users. Who’s still in the company? Anyone look unfamiliar?
  2. Review roles. Are there more admins than you remember? Any users with more access than they need?
  3. Check recent activity. Did someone do something weird? If you have an audit log, use it.

Pro Tip: Pair this with offboarding. When someone leaves, yank their access before their farewell Slack message.

Step 7: Don’t Overcomplicate Things

It’s tempting to build a perfect permissions matrix, but honestly:

  • Most teams only need Admin and User.
  • Custom roles and groups are great—if you have a real use case.
  • Overengineering = confusion. If you have to explain your setup with a chart, it’s probably too much.

If you’re not sure, start simple. It’s easier to add complexity later than to untangle a mess.

Common Pitfalls (And How to Avoid Them)

A few things that trip up even experienced admins:

  • Too many admins: Resist the urge. It’s not a democracy.
  • Stale accounts: Remove ex-employees as soon as they leave. Every extra account is a risk.
  • Assuming built-in roles are “fine”: Actually check what each role can do. Don’t be surprised.
  • Ignoring notifications: If Mailscale warns you about access changes, pay attention. It usually means something important.

Advanced Tips (For Those Who Need Them)

If you’re on a higher plan or really need fine-grained control:

  • Custom Roles: Create roles for things like “Billing Only” or “Support Lead.” But document what each one means.
  • API Access: If you use integrations, make sure API keys aren’t floating around with full admin rights.
  • 2FA: If you can, require two-factor authentication for all roles—especially admins.
  • Audit Logs: Check who changed what, and when. Useful for both mistakes and actual security issues.

Wrapping Up

User permissions in Mailscale aren’t rocket science, but they can trip you up if you ignore them. Start with the built-in roles, keep your admin list tight, and review access every so often. Don’t try to build the perfect system on day one—get the basics right, then adjust as your team grows or changes.

The best setup is the one you don’t have to think about every day. Keep it simple, fix problems as they come up, and you’ll spend less time wrangling permissions—and more time actually getting stuff done.