Team Management

Collaborate with your team on AI governance with role-based access control.

---

Overview

Team Management lets you invite colleagues to your SignalBreak workspace and control what they can access with three role levels: Admin, Member, and Viewer. Perfect for distributed teams managing AI governance together.

Why Team Management Matters

• Collaboration: Multiple people can manage workflows, scenarios, and governance
• Access control: Limit sensitive operations (billing, team management) to admins
• Transparency: Everyone sees the same AI inventory and governance status
• Compliance: Segregation of duties for SOC 2, ISO 27001 audits

---

User Roles

SignalBreak has 3 role levels with distinct permissions:

Admin

Who should be admin:

• Technical leads managing the AI platform
• Governance/compliance officers
• DevOps/platform engineers
• Anyone who needs full control

What admins can do:

• ✅ Everything Members can do (see below)
• ✅ Invite team members
• ✅ Change user roles (promote/demote members)
• ✅ Remove team members
• ✅ Manage billing & subscription
• ✅ Configure integrations (Slack, webhooks, SSO)
• ✅ View audit logs
• ✅ Delete workflows & scenarios (members can only create/edit)

Icon: 🛡️ Shield badge

Recommended count: 2-3 admins (avoid single admin dependency)

---

Member

Who should be member:

• DevOps engineers managing day-to-day operations
• AI/ML engineers configuring workflows
• Platform engineers
• Product managers tracking AI usage
• Anyone who needs to create/edit workflows

What members can do:

• ✅ Create & edit workflows
• ✅ Configure provider bindings (add fallbacks)
• ✅ Create & run scenarios
• ✅ View signals
• ✅ Generate reports (Operational Brief, Board Summary, etc.)
• ✅ Enable/disable models
• ✅ Manage connections (self-hosted providers)
• ❌ Cannot invite team members
• ❌ Cannot change roles or remove users
• ❌ Cannot access billing or team settings
• ❌ Cannot delete workflows (only archive)

Icon: 👤 User badge

Recommended count: Most of your team (5-20 members typical)

---

Viewer

Who should be viewer:

• Executives/stakeholders who need visibility
• Auditors (internal or external)
• Procurement teams tracking vendor dependencies
• Legal/compliance teams reviewing AI usage
• Consultants with read-only access

What viewers can do:

• ✅ View workflows & provider bindings
• ✅ View signals
• ✅ View scenarios & impact analyses
• ✅ Generate & download reports
• ✅ View governance scores & maturity levels
• ✅ View dashboard & analytics
• ❌ Cannot create or edit anything
• ❌ Cannot run scenarios
• ❌ Cannot configure bindings or models
• ❌ Cannot invite users or manage team

Icon: 👁️ Eye badge

Recommended count: 2-5 viewers (stakeholders, auditors)

---

Role Comparison Matrix

Action	Admin	Member	Viewer
View workflows	✅	✅	✅
Create workflows	✅	✅	❌
Edit workflows	✅	✅	❌
Delete workflows	✅	❌	❌
Configure bindings	✅	✅	❌
Create scenarios	✅	✅	❌
Execute scenarios	✅	✅	❌
View signals	✅	✅	✅
Generate reports	✅	✅	✅
View dashboard	✅	✅	✅
Enable models	✅	✅	❌
Manage connections	✅	✅	❌
Invite team members	✅	❌	❌
Change user roles	✅	❌	❌
Remove team members	✅	❌	❌
Manage billing	✅	❌	❌
View audit logs	✅	❌	❌

---

Managing Team Members

View Team Members

Location: Settings → Team

What you see:

• List of all team members with avatars
• Email addresses
• Current role (Admin/Member/Viewer badge)
• "You" badge on your own row
• Sorted: Admins first, then alphabetically by name

Member count: Displayed at top of card (e.g., "5 members in your organisation")

---

Invite Team Members

Who can invite: Admins only

Steps:

1. Navigate to Settings → Team
2. Scroll to "Invite Team Member" card
3. Enter email address
4. Select role (Admin, Member, or Viewer)
5. Click "Send Invitation"
6. Invitation email sent immediately

What happens:

• Invitee receives email with join link
• Link valid for 7 days
• After accepting, they appear in team list
• They inherit the role you assigned

Email invitation includes:

• Your organization name
• Link to accept invitation
• What role they're being invited as
• Link to SignalBreak

Limits by plan:

Plan	Max Team Members	Notes
Free	1	Just you (no invitations)
Starter	5	Small teams
Professional	25	Mid-size teams
Enterprise	Unlimited	Large organizations, agencies

What happens when you hit the limit:

• Invite button disabled
• Error message: "Team member limit reached. Please upgrade your plan."
• Existing members remain active

Troubleshooting invitations:

• Email not received: Check spam folder, resend invitation
• Link expired: Resend invitation (generates new link valid for 7 days)
• User can't access after accepting: Check their role, may need to be promoted

---

Change User Roles

Who can change roles: Admins only

Rules:

• ✅ Admins can change anyone's role except their own
• ✅ Can promote Viewers → Members → Admins
• ✅ Can demote Admins → Members → Viewers
• ❌ Cannot change your own role (prevents accidental lockout)
• ❌ Members and Viewers cannot change any roles

Steps (Method 1: Dropdown):

1. Navigate to Settings → Team
2. Find the team member
3. Click role dropdown (shows current role)
4. Select new role (Admin, Member, or Viewer)
5. Role changes immediately
6. User sees new permissions next time they navigate

Steps (Method 2: Actions Menu):

1. Navigate to Settings → Team
2. Find the team member
3. Click ⋯ (three dots) actions menu
4. Select "Make Admin", "Make Member", or "Make Viewer"
5. Role changes immediately

Confirmation toast:

✅ Role updated
[Name] is now a [role]

Use cases:

Promote to Admin:

Use case: DevOps engineer needs to manage billing

Current: Member (can manage workflows, not billing)
Action: Promote to Admin
Result: Can now access Settings → Billing

Demote to Viewer:

Use case: External auditor finished audit, no longer needs edit access

Current: Member (can edit workflows)
Action: Demote to Viewer
Result: Read-only access, can still generate reports

---

Remove Team Members

Who can remove: Admins only

Rules:

• ✅ Admins can remove anyone except themselves
• ❌ Cannot remove yourself (prevents accidental lockout)
• ❌ Must have at least 1 admin remaining
• ⚠️ Removal is immediate (user loses access instantly)

Steps:

1. Navigate to Settings → Team
2. Find the team member
3. Click ⋯ (three dots) actions menu
4. Select "Remove from team" (red text)
5. Confirm in dialog: "Remove [Name] from the team?"
6. Click "Remove"
7. User removed immediately

What happens:

• User loses access to SignalBreak immediately
• Their session is invalidated (logged out if currently logged in)
• Historical data remains (workflows they created, audit logs)
• Attribution preserved (e.g., "Created by [Name]" still visible)

Confirmation toast:

✅ Member removed
[Name] has been removed from the team

Cannot undo: Removal is permanent. To re-add, send a new invitation.

When to remove:

• Employee leaves company
• Contractor/consultant engagement ends
• User no longer needs access
• User account compromised (security incident)

---

Team Limits by Plan

SignalBreak enforces team size limits based on your subscription:

Plan	Team Members	Admins	Notes
Free	1	1	Solo use only
Starter	5	5	All can be admins
Professional	25	25	All can be admins
Enterprise	Unlimited	Unlimited	Custom SSO, SAML

What counts toward limit:

• All active users (Admins + Members + Viewers)
• Pending invitations (not yet accepted) also count
• Removed users do NOT count

What happens when you hit the limit:

• Invite button disabled
• Error message when attempting to invite
• Existing team members remain active (read-only)

How to manage limits:

• Remove inactive users: Settings → Team → Remove
• Cancel pending invitations that expired
• Upgrade plan if consistently at limit

Check your usage:

1. Navigate to Settings → Billing
2. View "Team Members" usage meter
3. Shows: X / Y members used (Z% of quota)

---

Best Practices

1. Always Have at Least 2 Admins

Why: Prevents lockout if one admin is unavailable (vacation, leaves company, etc.)

Recommended:

• 2-3 admins for small teams (<10 people)
• 3-5 admins for mid-size teams (10-50 people)
• 5-10 admins for large teams (>50 people)

Who to make admin:

• Technical lead (DevOps, Platform Engineering)
• Governance/compliance officer
• Engineering manager
• Head of Security (if relevant)

Red flag: Single admin who also manages billing → Risk of service disruption if they're unavailable

---

2. Use Least Privilege (Start with Viewer)

Principle: Give users the minimum permissions they need, promote as needed.

Recommended onboarding flow:

New hire joins → Invite as Viewer → They explore for 1 week
↓
If they need to create workflows → Promote to Member
↓
If they need to manage team/billing → Promote to Admin

Why this works:

• Users learn the platform before getting edit access
• Reduces accidental changes by new users
• Easier to promote than demote (less awkward conversation)
• Complies with security best practices (SOC 2, ISO 27001)

---

3. Audit Your Team Quarterly

What to check:

• Are all users still with the company?
• Do users still need their current role level?
• Any users who should be demoted (role no longer relevant)?
• Any pending invitations that expired (cancel them)?

Quarterly review checklist:

[ ] Remove users who left the company
[ ] Review admin list (still need admin access?)
[ ] Demote users no longer doing hands-on work (e.g., promoted managers)
[ ] Check for duplicate accounts (same person, different emails)
[ ] Cancel expired invitations (>7 days old, not accepted)

Why quarterly: Team composition changes often (hires, departures, role changes). Quarterly cadence catches most changes.

---

4. Use Role-Based Email Aliases for Admins

Problem: If primary admin (john@company.com) leaves, you lose admin access.

Solution: Invite a role-based email alias as admin (e.g., devops@company.com, ai-platform@company.com)

Setup:

1. Create email alias in your corporate email (devops@company.com forwards to your team's mailing list)
2. Invite alias as Admin
3. Multiple people can log in via SSO (if email maps to multiple users)
4. When admin leaves, alias remains active

Benefits:

• No single point of failure
• Smooth admin handoffs during employee transitions
• Better for audits (role-based, not person-based)

---

5. Document Who Has What Role (Internal Wiki)

Why: When an incident happens at 2am, you need to know who can fix it.

What to document:

## SignalBreak Access Control

**Admins** (can manage team, billing, delete workflows):
- Alice (alice@company.com) - Primary admin, DevOps Lead
- Bob (bob@company.com) - Backup admin, Platform Engineer
- devops@company.com (role alias) - Forwards to whole team

**Members** (can create/edit workflows):
- 12 engineers (see full list in Settings → Team)
- Contact: #ai-platform Slack channel

**Viewers** (read-only):
- CFO (cfo@company.com) - Financial oversight
- Legal (legal@company.com) - Compliance reviews
- External auditor (auditor@bigfour.com) - Temp access during audit

**Onboarding:** New AI engineers start as Viewer for 1 week, then promoted to Member
**Offboarding:** HR notifies #ai-platform Slack, admins remove within 24h

Where to store:

• Internal wiki (Confluence, Notion, GitHub Wiki)
• Runbook (incident response documentation)
• RBAC matrix (for compliance audits)

---

6. Use Viewer Role for External Auditors

Scenario: External auditor needs to review your AI governance for ISO 42001 certification.

Recommended setup:

1. Invite auditor as Viewer (not Member)
2. Set expectation: Access expires after audit completes (30-60 days)
3. Auditor can:
   • Generate Audit Pack report
   • View workflows & provider bindings
   • Review governance scores
   • Take screenshots for audit evidence
4. After audit: Remove auditor from team
5. Re-invite if needed for next audit cycle

Why Viewer (not Member):

• Auditor doesn't need to create/edit anything
• Prevents accidental changes to your configuration
• Complies with segregation of duties (auditors observe, don't operate)

---

Security Considerations

Password & Authentication

SignalBreak uses Clerk for authentication:

• ✅ Industry-standard OAuth (Google, Microsoft, GitHub)
• ✅ Magic links (passwordless email login)
• ✅ 2FA/MFA support (for Enterprise plans)
• ✅ SSO/SAML (Enterprise only)

Users control their own passwords:

• SignalBreak admins cannot reset user passwords
• Users reset via "Forgot password" flow
• Admins can remove users (revoke access) but not impersonate

If user is locked out:

1. User clicks "Forgot password" on login page
2. Receives password reset email
3. Sets new password
4. Admins cannot help with this (by design - security best practice)

---

Session Management

How sessions work:

• Users log in → Session created (7 days default)
• Session expires after 7 days or logout
• Changing user role does NOT log them out (takes effect on next page load)

Revoking access immediately:

• Remove user from team → Their session is invalidated within 60 seconds
• They'll be logged out next time they make an API call
• Cannot access SignalBreak after removal

Force logout scenario:

Use case: User's laptop stolen, need to revoke access immediately

Action: Admin removes user from team
Result: User logged out within 60 seconds, cannot log back in

---

Role Changes & Permissions

When role changes take effect:

• Immediate: Role change happens instantly in database
• Next page load: User sees new permissions after refreshing page
• No re-login required: User doesn't need to log out and back in

Example:

10:00 AM - Bob is Member (can edit workflows)
10:01 AM - Admin demotes Bob to Viewer
10:01 AM - Bob still on /workflows page, can still see "Edit" button
10:02 AM - Bob clicks "Edit", API returns 403 Forbidden (new role enforced)
10:02 AM - Bob refreshes page, "Edit" button now hidden (UI updated)

Why not instant: Browser cache, UI state. Permissions enforced server-side (API) immediately, UI updates on next navigation.

---

Audit Trail

What's logged:

• Team member invitations sent (who invited whom, what role)
• Role changes (who changed whom, from what to what)
• Team member removals (who removed whom, when)
• Login events (who logged in, from where, when)

How to view:

1. Navigate to Settings → Audit Logs
2. Filter by category: "Team"
3. View chronological log of all team changes

Retention:

• Free/Starter: 90 days
• Professional: 1 year
• Enterprise: 7 years + custom retention

Use for:

• Security investigations ("Who added this user?")
• Compliance audits (SOC 2, ISO 27001 require access control logs)
• Incident response ("When did this user lose admin access?")

---

Troubleshooting

Problem: Invite Email Not Received

Possible causes:

1. Email in spam folder
   • Solution: Check spam/junk, mark as "Not Spam"
2. Corporate email filter blocking
   • Solution: Whitelist noreply@signal-break.com in email server
3. Typo in email address
   • Solution: Cancel invitation, resend with correct email
4. Email delivery delay
   • Solution: Wait 5-10 minutes, check again

How to resend:

• Cannot resend existing invitation (no UI for this)
• Cancel pending invitation, send new one

---

Problem: User Can't Log In After Accepting Invite

Possible causes:

1. User used different email to sign up
   • Solution: User must sign up with EXACT email from invitation
2. Invitation expired (>7 days old)
   • Solution: Send new invitation
3. User blocked/removed after accepting
   • Solution: Check team list, re-invite if removed

How to diagnose:

• Check Settings → Team: Is user in the list?
• If yes but can't log in: Password issue (user should reset password)
• If no: Invitation not accepted or user removed

---

Problem: "Cannot Remove Last Admin"

Meaning: You're trying to remove or demote the only admin, which would lock everyone out.

Why blocked:

• Must always have at least 1 admin
• Prevents accidental lockout (no one can manage team)

Solutions:

Option 1: Promote someone else first

1. Promote a Member to Admin
2. Now you have 2 admins
3. Remove or demote the original admin

Option 2: Demote to Member instead of removing

1. Don't remove, just demote to Member
2. They retain access but lose admin privileges
3. At least one other admin remains

---

Problem: "Team Member Limit Reached"

Meaning: You've hit your plan's team size limit.

Current limits:

• Free: 1 member
• Starter: 5 members
• Professional: 25 members
• Enterprise: Unlimited

Solutions:

Short-term:

• Remove inactive users (people who left company)
• Remove Viewer accounts (auditors who finished audit)
• Cancel pending invitations (not yet accepted)

Long-term:

• Upgrade plan: Settings → Billing → Change Plan
• Review usage: Do you really need all current members?

Check remaining quota:

Settings → Billing → Team Members
Shows: 23 / 25 members (92% of quota)

---

Problem: User Has Wrong Permissions

Symptoms:

• Member can't create workflows (should be able to)
• Viewer sees "Edit" buttons (shouldn't see them)
• Admin can't access billing (should be able to)

Diagnosis:

Check role:

1. Settings → Team
2. Find user, check role badge
3. If wrong role: Change role

Clear browser cache:

1. User logs out
2. Clears browser cache (Ctrl+Shift+Delete)
3. Logs back in
4. Permissions should update

Check for UI caching:

• Permissions are enforced server-side (API always correct)
• UI may show stale buttons until page refresh
• Tell user to hard refresh: Ctrl+F5 (Windows) or Cmd+Shift+R (Mac)

---

Problem: Removed User Still Has Access

Symptoms:

• User removed from team, but can still log in
• Dashboard shows "Unauthorized" after 1-2 minutes

Expected behavior:

• Removal takes effect within 60 seconds
• User's session invalidated on next API call
• User sees "Unauthorized" error, redirected to login
• Cannot log back in (credentials no longer valid)

If user still has access after 5 minutes:

1. Check team list: Is user actually removed? (Settings → Team)
2. Check for duplicate accounts: Does user have 2 emails? Removed wrong one?
3. Contact support: Email support@signal-break.com with user's email

---

FAQ

Can I transfer ownership to another user?

Currently: No designated "owner" role. All admins have equal permissions.

Workaround: Promote the person you want as "owner" to Admin, then optionally demote yourself to Member.

Future feature: Owner role (Q2 2025) with additional permissions:

• Cannot be removed by other admins
• Can transfer ownership to another admin
• Required for account closure

---

What happens to workflows created by a removed user?

Short answer: Workflows remain, ownership transfers to remaining admins.

What happens:

1. User creates workflow "Fraud Detection"
2. User removed from team
3. Workflow still exists (not deleted)
4. "Created by [Name]" remains (historical attribution)
5. Any admin can now edit/delete the workflow
6. Audit logs preserve full history

Why this matters: Prevents data loss when users leave. Team continuity maintained.

---

Can users be in multiple teams/organizations?

Yes. Users can be invited to multiple SignalBreak organizations (tenants) with different emails or same email.

How it works:

• User has 1 account (e.g., alice@company.com)
• Alice invited to Organization A as Admin
• Alice invited to Organization B as Viewer (different company)
• Alice logs in, sees organization switcher in sidebar
• Switches between Organization A and B
• Different role in each organization

Use case: Consultant working with multiple clients, each has their own SignalBreak workspace.

---

Do removed users lose access to reports they downloaded?

No. Downloaded reports (PDFs, Markdown files) are local copies.

What happens:

1. User downloads Operational Brief PDF
2. User removed from team
3. PDF remains on user's computer (SignalBreak can't delete local files)
4. User cannot download NEW reports (no access to SignalBreak)

Security implication: If reports contain sensitive data, ensure removed users delete local copies (honor system) or use DRM tools (Enterprise feature).

---

Can I set expiration dates for team members?

Not currently. Team invitations expire after 7 days, but accepted memberships are permanent until removed.

Workaround: Set calendar reminders to remove temporary users (auditors, contractors).

Future feature: Time-limited access (Q3 2025) will allow:

• Set expiration date when inviting (e.g., "Access expires 30 days from acceptance")
• Automatic removal on expiration date
• Email reminder 7 days before expiration

---

Can I bulk invite team members?

Not currently. Invitations are one-at-a-time via UI.

Workaround (Enterprise API):

# Bulk invite via API (Enterprise plans only)
curl -X POST https://signalbreak.com/api/team/invite/bulk \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "invitations": [
      {"email": "alice@company.com", "role": "member"},
      {"email": "bob@company.com", "role": "member"},
      {"email": "charlie@company.com", "role": "viewer"}
    ]
  }'

Future feature: CSV upload for bulk invites (Q2 2025).

---

Related Features

• Audit Log (coming soon): Track all team changes (invitations, role changes, removals)
• Billing: Team member limits by plan, upgrade if you hit the limit
• Security: Authentication methods, 2FA/MFA, SSO/SAML (Enterprise)
• Notifications: Get notified when team members join or when roles change

---

Support

Need help with team management?

• 📧 Email: support@signal-break.com
• 💬 Live Chat: Click chat icon (bottom right) for instant support
• 📚 Knowledge Base: docs.signal-break.com
• 🎥 Video Tutorial: Managing Your Team in SignalBreak (6 mins)

Common requests:

• Help setting up SSO/SAML (Enterprise feature)
• Bulk user import from CSV
• Custom role definitions (Enterprise feature)
• Integration with identity providers (Okta, Azure AD)

Enterprise support:

• Dedicated onboarding session for team admins
• Custom RBAC matrix design
• Quarterly access review sessions

---

Last updated: January 2025