One installation. Many administrators. No shared logins.

Data scope and use case. An Administrator is a staff account — an admin with a permission sees that permission's data across the whole installation, including data owned by every User beneath them. A User is a tenant — hard-scoped to their own data (their own lists, contacts, broadcasts), with no visibility into another user's records regardless of permissions. Admins are how you give your own team access; Users are how you isolate someone else's account on your installation. User Management is a Commercial-plan feature for resellers, agencies, and white-label SaaS setups — Personal and Professional plans only have Administrators, which is what most internal-use customers need. See [Team & Users](/campaigns/features/user-management/) for the full hierarchy.

Yes. Every admin permission is global by default — the admin sees every list on the installation, including lists created by other admins and lists owned by every User beneath the admin tier. This is the defining behaviour that makes someone an admin in the first place. If you need a teammate to see only a subset of data, you have two options: (1) build a role that simply doesn't include the read permission for that section, or (2) create them as a User instead of an admin — Users are hard-scoped to their own data with no exceptions. Most teams pick option 1; resellers and agencies pick option 2 for their client accounts.

There's no built-in cap on the number of administrators per installation. Add as many as your team structure needs — each one is a real account with its own login, role, send quotas, and 2FA. Authentication logs scale with the admin count; the role builder doesn't slow down with more administrators in a role.

Very. The role tree exposes every action across the platform — Contact Lists (add / edit / split / merge / move contacts / delete / delete bulk), Contacts (add / view / edit / import / export / bulk update / delete), Custom Fields (add / edit / delete), Segmentation (add / edit / schedule / export / copy / move), Suppression (per-type per-action), Broadcasts (add / edit / schedule / re-schedule / copy / delete), Drip Campaigns, Triggers, Sending Nodes (per-gateway-type), Bounce Addresses, Web Forms, Statistics (per-campaign-type per-tab), Tools, and more. Tick any combination. Use 'Check All' for power roles or build minimal-permission read-only auditor roles. Each role can be reused across as many administrators as need it.

Each administrator has optional capacity-cap toggles — Hourly sending rate, Daily sending limit, Monthly sending limit, Maximum threads, plus any additions the platform adds over time. Toggle ON to set a per-admin override; toggle OFF to inherit the platform default. These are throughput caps only — they shape how much an admin can send through, not what data the admin can see. Useful when one admin handles bulk broadcasts and another handles low-volume transactional from the same installation; cap the bulk admin to protect the queue without restricting the rest.

Yes. 2FA is enableable per role (so a Compliance Officer role can require 2FA while a Read-only Auditor role doesn't), per administrator (force a specific admin to enable 2FA on next sign-in), or platform-wide. The Administrators list shows 2FA status per admin so you can spot stragglers. The 2FA addon adds the underlying Google-Authenticator-compatible TOTP support.

Yes — every sign-in, sign-out, and admin action is logged. Tools → Authentication Logs lists ID, name, IP address, activity type, details, and timestamp. Indispensable for compliance reviews, security incident investigation, and answering 'who changed this, when, and from where'. The log is retained for the platform-default retention window; export it for longer-term storage if your compliance regime requires.

Yes — the role is a live blueprint, not a copy. When you tick or untick a permission on the role, every administrator in that role inherits the change immediately. No need to re-save each admin. This is why reusable roles are the lever: change the role once, the change propagates everywhere.

That's the default. Every Mumara Campaigns installation ships with a Super Administrator role that has every permission ticked. The first admin you create on a fresh install is Super Administrator. You can build additional Super-Administrator-equivalent roles using 'Check All' if you want a distinct name for organisational reasons.

Admin permissions are global — when an admin can read lists, they can read every list. Action-level scoping covers most needs (a Marketing Lead can have Add Broadcast and Edit Broadcast but not Delete Broadcast), but you can't restrict an admin to a subset of lists or campaigns inside the same section. For genuine resource-level isolation — admin A only touches the 'Newsletter' list, admin B only touches 'Transactional' — model them as Users with their own Package, not as admins. Users are hard-scoped to their own data with no exceptions. See the Team & Users page for the User hierarchy.