Team Members

Team Members (Staff) manages firm users, roles, and business access — owners and admins see all clients; members see assigned businesses only. Invite staff, toggle programmatic access, and track invitation delivery from Settings > Staff.

Key capabilities

• Three staff roles: owner, admin, member (changed inline via a dropdown)
• Owners and admins see all businesses; members are scoped to assigned businesses
• Manage access modal to assign specific businesses to a member (direct or via team)
• Per-user programmatic access toggle (disabling it blocks that user's connection keys)
• Invite staff by email with optional first/last name
• Pending Invitations panel with live email delivery badges
• Delivery states: not sent, sent, delivered, opened, bounced, spam-reported
• Resend invitations (with a short cooldown, auto-lifted after a bounce or complaint)
• Cancel pending invitations and an "Expired" flag for stale invites
• Remove a member to revoke firm access immediately

How it works

Role sets the default reach; members are then narrowed to specific businesses directly or through team membership.

flowchart TD
  role{"Staff role"}
  role -->|"Owner / Admin"| all["All businesses"]
  role -->|"Member"| assigned["Assigned businesses only"]
  assigned --> direct["Direct assignment"]
  assigned --> viaTeam["Via team membership"]
  direct --> access["Effective access"]
  viaTeam --> access

How to use it

1. Open Settings > Staff.
2. Click Invite Member, enter their email (and optional name), and send.
3. Set each person's Role from the inline dropdown: Owner, Admin, or Member.
4. For a member, click Manage access to check the businesses they should reach — team memberships also grant access automatically.
5. Toggle programmatic access per user to allow or block their programmatic tokens.
6. In Pending Invitations, watch the delivery badge; use Resend (refresh icon) or Cancel (X) as needed.
7. Click the trash icon to remove a member and revoke their access at once.

Pro tips

• Use the Member role for bookkeepers who should only see their assigned clients — not the whole firm.
• Watch for Bounced or Spam reported badges: the resend cooldown is automatically lifted so you can retry or fix the address immediately.
• Client portal access is managed separately under Settings > Clients — staff roles never grant portal access and vice versa.
• Disable programmatic access for staff who shouldn't script against the integration; their existing tokens stop working until re-enabled.
• Removing a member is immediate and firm-wide; reassign their teams/clients first if continuity matters.

In-depth guide

Roles & permissions

Member access assignment

The Manage access modal controls which businesses a member can reach:

• Lists every firm business with a checkbox for direct assignment.
• Businesses reached via a team are marked "(via team)" and shown as granted even if the direct box is unchecked.
• Select all / Deselect all speeds up setup; Save writes the direct assignments.
• Team-based access is managed separately on the Teams page.

Programmatic access toggle

Each staff row has a programmatic access switch:

• On by default — owners/admins control it per user.
• Turning it off disables that user's connection keys until re-enabled.

Invitation delivery states

Resend and expiry

Resends have a short cooldown per invitation to avoid spamming recipients. The cooldown is automatically bypassed when an invite has bounced or been marked as spam. Invitations expire after a period; expired ones show an Expired flag.

Audit implications

Role changes, removals, and invitation actions are sensitive account events. Use the Audit Log to see who changed a role or removed a member — useful for SOC reviews and offboarding.

Practical notes

• Only members get the Manage access control; owners/admins always show "All businesses."
• Removing a member revokes access immediately but does not delete the businesses or teams they touched.