Update Matomo Roles for the collaborator

Update the collaborator’ permissions whenever scope changes or security policies evolve.

When to Update

New sites launch and the collaborator needs admin or view access.
Engagement focus narrows and the collaborator should only see specific sites.
API usage expands, requiring token_auth regeneration or additional capabilities.
Security requires MFA/SSO changes or password rotations.

Open Administration → System → Users and locate the collaborator’s account.
Click Edit and adjust the global role (Super User, Admin, Write, View) if necessary.
Update the site-specific permissions by checking or unchecking the appropriate boxes and choosing the correct role per site.
If API access changes, regenerate the token_auth and share the new value securely.
Save the changes and document the request ID or ticket number.
Inform the collaborator’s team about the update so they can validate on their side.

Verify the updated roles appear correctly in the user list.
Ask the collaborator to confirm they can access (or no longer access) the intended sites.
Export the relevant entries from System → Audit Log for compliance.

Update SSO group mappings if provisioning is automated.
If Matomo is self-hosted, confirm config files (e.g., for scheduled reports) reflect the new account rights.
Note any dependency on this user for integrations (Data Warehouse exports, tag manager) and adjust as needed.