Ownership Model
Every identity in AccessHive has an ownership type that determines how it is created, who manages it, and whether it is tied to a specific client. Understanding ownership helps you decide whether to create an identity yourself or let the system create one through the access request flow.
How ownership works
When an identity is created, AccessHive assigns it one of two ownership types: Agency or Client-Dedicated. This assignment is permanent and controls where the identity appears, who can manage its credentials, and how it is scoped across your client accounts.
- Agency identities are owned by your agency and shared across clients as needed.
- Client-Dedicated identities are scoped to a single client and created automatically when an access request is approved.
Types of ownership
Agency
An Agency identity is a platform account that your agency creates and manages directly. It is not tied to any one client – you can assign it to multiple clients or keep it agency-wide.
- Created by an Admin or Identity Manager using the identity wizard
- Not linked to a specific client account
- Can be scoped to a single platform or used across all compatible platforms
- Managed by the agency team (credential rotation, checkout policies, lifecycle)
Example: Your agency has a single Google Analytics 4 account (ga4@youragency.com) that the team uses to pull reporting data for all clients.
Client-Dedicated
A Client-Dedicated identity is created automatically when an access request is approved. It gives a specific client their own isolated credentials on a platform.
- Created through the access request approval flow, not the identity wizard
- Linked to one client account
- Gives each client isolated credentials, separate from other clients
- Managed automatically through the access lifecycle (provisioned on approval, revoked on expiration)
Example: A client needs their own Meta Business login. They submit an access request, an approver accepts it, and the system creates a dedicated identity scoped to that client.
Comparison
| Agency | Client-Dedicated | |
|---|---|---|
| Created by | Admin via the identity wizard | Automatically via access request approval |
| Linked to a client | No (can be assigned to any client) | Yes (always scoped to one client) |
| Scope | Agency-wide or platform-specific | Client-specific |
| Who manages it | Agency admin or identity manager | Managed automatically through the access flow |
| Typical use | Shared agency accounts used across clients | Isolated credentials for a single client |
Use Agency ownership when your team needs a shared account that works across multiple clients – like a platform login the whole team uses. Use Client-Dedicated ownership when a client needs their own isolated credentials, especially for sensitive platforms where access should not be shared across accounts.
Related pages
- Create an Agency identity step by step – See Creating Identities.
- Submit a request that creates a Client-Dedicated identity – See Access Requests guide.
- Understand the different identity types – See Identity Types.
- Learn how credentials are stored – See Credential Vault.