# Sub-users & teams

The dashboard exposes two related concepts:

* **Sub-users** — credentials your traffic uses against the proxy gateway. Per-product.
* **Team members** — humans with dashboard / API access. Per-account.

They serve different purposes — read both sections.

## Sub-users (proxy credentials)

Sub-users are how you slice quota and isolate workloads. Each is an independent set of credentials and limits.

### Create

1. Left nav → **{Product} → Sub-users → Create sub-user**.
2. Fill in **label** (your name for it, e.g. `acme-staging`), then **concurrent** and **RPS** caps.
3. Click **Create**.
4. **Copy the issued name and password immediately** — we show the password only once.

\[screenshot: sub-user creation success modal showing one-time password]

### Configure

Each sub-user has:

| Setting                  | Notes                                                              |
| ------------------------ | ------------------------------------------------------------------ |
| **Label**                | Editable any time                                                  |
| **Status**               | `active` or `disabled`. Disabled = all proxy requests return `403` |
| **Concurrent max**       | Per-product cap, ≤ plan limit                                      |
| **RPS max**              | Per-product cap, ≤ plan limit                                      |
| **Whitelisted IPs**      | See [Whitelisting IPs](/dashboard/whitelisting-ips.md)             |
| **Sticky session count** | Read-only — how many active sticky sessions                        |

### Rotate password

**{Sub-user} → Reset password** → new password shown once. Old keeps working for 60 seconds.

### Delete

**{Sub-user} → Settings → Delete**. All bandwidth attribution stops; any open connections drain within 60 seconds.

> Deleting a sub-user with an ISP batch bound to it requires unbinding the batch first.

### Multiple sub-users per product?

Use them to **segment** workloads:

* One per customer (if you're reselling)
* One per environment (dev / staging / prod)
* One per scraping target (so a noisy target doesn't impact others' quotas)
* One per team

Bandwidth still pools across sub-users of the same product, but the per-sub-user concurrent and RPS caps give you isolation.

## Team members (dashboard / API access)

Distinct from sub-users — these are people who log into the dashboard or issue API tokens.

### Invite

1. **Settings → Team → Invite member**.
2. Email + role.
3. Send. They get an invite link valid for 7 days.

### Roles

| Role         | Permits                                                                               |
| ------------ | ------------------------------------------------------------------------------------- |
| **Owner**    | Everything, including billing changes and account deletion (one per account)          |
| **Admin**    | Sub-users, orders, whitelists, traffic, API tokens, team invites — no billing changes |
| **Operator** | Sub-users, orders, whitelists, traffic — no team or API token management              |
| **Viewer**   | Read-only on everything except billing                                                |
| **Billing**  | Read all + manage billing (invoices, payment methods, subscriptions)                  |

You can assign multiple roles to one member (e.g. `Operator` + `Billing`).

### Transfer ownership

Owner: **Settings → Team → Transfer ownership → {new owner}**. The new owner accepts via email; you become Admin. Useful when the founding account holder is leaving.

### Single sign-on (SSO)

Enterprise plan only. **Settings → SSO** supports OIDC and SAML 2.0. Map IdP groups to roles in the SSO config.

## Audit log

Every action a team member takes (create sub-user, place order, rotate password, change billing) appears in **Settings → Audit log**. Filterable by member, action type, and date.

Retained 365 days. Export to CSV from the same page.

## Sub-user vs team member at a glance

|                    | Sub-user                      | Team member                  |
| ------------------ | ----------------------------- | ---------------------------- |
| What it identifies | A traffic source / credential | A human (or service account) |
| Used by            | Proxy gateway                 | Dashboard + API              |
| Has password?      | Yes (one-time shown)          | Email + own password         |
| Per-product?       | Yes                           | No (account-level)           |
| MFA support?       | n/a                           | Yes (TOTP)                   |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.helodata.com/dashboard/sub-users.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.