1 Add a person
Admin › Users & Access › Add user
Give them a username, pick a role (below), and set a temporary password. They'll be asked to change it the first time they sign in.
2 Choose a role
The role sets what someone can do. From most to least access:
| Role | Can do |
|---|---|
| Owner | Everything, including granting the sensitive modules (like Audit). There's always an owner. |
| Manager | Run the business day-to-day and onboard/manage staff — but only member and viewer accounts. Can't create other managers/admins/owners or escalate anyone. |
| Admin | Broad access to the modules they're granted. |
| Member | Everyday user — works in the modules you grant them. |
| Viewer | Read-only. |
Delegated administration: a manager can build out their own team without ever being able to reach up the chain — the key idea is access only flows downward.
3 Grant module access
Beyond the role, you can grant access to specific modules per person (e.g. Pipeline yes, Audit no). Sensitive modules like the Audit log are owner-granted, per person — off until you deliberately switch them on for someone.
Managing people over time
Everyday
- Reset password — for a locked-out user.
- Deactivate — instantly stop someone signing in; reversible.
- Account expiry — auto-expire access on a date (great for contractors).
- Notes — jot why access was granted.
Careful
- Delete removes the person entirely — use Deactivate if they might return.
- When someone leaves, deactivate first — access is cut immediately, everywhere.
Every change here (add, role change, deactivate, reset) is recorded in the Audit log with a before → after diff — so there's always an accountable trail.