Team & roles

The three workspace roles (member, admin, owner), what each can do, and how invites work.

Your workspace has three roles — member, admin, and owner. Each one can do everything the role below it can, plus a bit more.

Workspace roles

Here’s what each role can do. Remember the cumulative rule: an admin can do everything a member can, and an owner can do everything an admin can.

RoleCan
Member
Read-only plus the day-to-day incident workflow.
  • View every dashboard, access incident, and Access Ledger
  • Run fulfillment checks (single customer or full scan)
  • Acknowledge and ignore access incidents
Admin
Everything a member can, plus repairs and configuration.
  • Approve or reject a suggested repair
  • Connect and edit integrations (Stripe, database, Clerk)
  • Manage rules, notification channels, and API keys
  • Invite and remove members
Owner
Everything an admin can, plus workspace-level control.
  • Change a member's role
  • Delete a project
Running a check and acknowledging or ignoring an access incident are member-level — everyone on the team can keep the workflow moving. Approving a repair is an admin action, because it can write to your database.

Managing members

Admins and the owner manage the team from workspace settings.

  • Admins can invite teammates and remove members.
  • The ownercan also change a member’s role and delete a project.
  • Nobody can change or remove the owner, and nobody can change their own role.

Inviting a teammate

Invites are a one-time link. Like an API key, ParityRail stores only a hash of the token — never the link itself.

  1. An admin or the owner enters the teammate’s email and a role (admin or member), and gets back a link to send them.
  2. The link is valid for 7 days. Sending a fresh invite to the same email revokes the old one, so only the newest link works.
  3. The invitee opens the link while signed in. Their signed-in email must match the invited email, and it must be verified— a matching but unverified email isn’t proof they actually own it.
An unverified email blocks acceptance until the teammate verifies it. That’s what stops someone from claiming an invite sent to an address they don’t control.