Skip to content

Team Management

!!! info "TL;DR" Invite team members, assign roles (Owner, Admin, Member), and enforce MFA for security. Admins can triage feedback, create surveys, and manage GitHub integration. Owners have full control over team and org settings.

Team Roles

Access to the Admin Dashboard is controlled by the team_members table. Each user is assigned a role that determines their permissions.

Role Definitions

Role Permissions Use Case
Owner Full access: manage team, change settings, delete org, view audit logs Founder, CTO, Head of Product
Admin Triage, surveys, GitHub integration, analytics, moderation Product Manager, Engineering Lead
Member Triage feedback, post official comments, view read-only analytics Support Engineer, Junior PM

Only one user can be the Owner. Owners can transfer ownership to another team member.

Permission Matrix

Action Owner Admin Member
Triage submissions
Change submission status
Post official comments
Create surveys
Publish surveys
Push to GitHub
View analytics ✅ (read-only)
Bulk actions
Invite team members
Remove team members
Change org settings
View audit logs
Delete org

Inviting Team Members

Step 1: Send Invitation

  1. Navigate to Admin → Team → Invite Member
  2. Enter email address
  3. Select role (Admin or Member)
  4. Optionally add a personal message
  5. Click Send Invitation

The invitee receives an email with a link to accept the invitation.

Step 2: Invitation Acceptance

The invitee clicks the link in the email and:

  1. Signs up for a Canviq account (if they don't have one)
  2. Accepts the invitation
  3. Is added to the team with the assigned role

Invitations expire after 7 days. Resend expired invitations from Admin → Team → Pending Invitations.

Bulk Invitations

Invite multiple team members at once:

  1. Navigate to Admin → Team → Bulk Invite
  2. Upload a CSV file with columns: email, role, message (optional)
  3. Review the list
  4. Click Send Invitations

All invitations are sent simultaneously.

Managing Team Members

Viewing Team Members

Navigate to Admin → Team to see all team members:

Name Email Role MFA Enabled Last Active Actions
Jane Doe jane@example.com Owner 2 hours ago
John Smith john@example.com Admin 1 day ago Edit, Remove
Alice Lee alice@example.com Member 5 days ago Edit, Remove

Editing Team Members

To change a team member's role:

  1. Click Edit next to their name
  2. Select new role (Admin or Member)
  3. Click Save

Role changes take effect immediately.

Removing Team Members

To remove a team member:

  1. Click Remove next to their name
  2. Confirm removal
  3. Optionally select action for their content:
  4. Keep — Preserve comments and status changes (attributed to "Former Team Member")
  5. Delete — Remove all comments and status changes

The user loses access to the Admin Dashboard immediately.

Multi-Factor Authentication (MFA)

MFA is required for Owner and Admin roles to comply with SOC 2 security controls (see ADR-0015).

Enforcing MFA

MFA enforcement is configured in Admin → Settings → Security:

  • Owners — MFA required (cannot be disabled)
  • Admins — MFA required by default (Owner can disable)
  • Members — MFA optional

If a user does not have MFA enabled, they are prompted to set it up on their next login.

Setting Up MFA

Users set up MFA in their profile settings:

  1. Navigate to Profile → Security
  2. Click Enable MFA
  3. Scan QR code with authenticator app (Google Authenticator, Authy, etc.)
  4. Enter 6-digit code to verify
  5. Save recovery codes (used if authenticator app is lost)

MFA is now enabled. Users must enter a 6-digit code on every login.

Recovery Codes

Each user receives 10 recovery codes when they enable MFA. Recovery codes can be used to log in if the authenticator app is unavailable.

To regenerate recovery codes:

  1. Navigate to Profile → Security → MFA
  2. Click Regenerate Recovery Codes
  3. Save the new codes securely

Old recovery codes are invalidated.

Team Activity Logs

View team member activity in Admin → Team → Activity:

Timestamp User Action Details
2026-02-10 10:30 jane@example.com Changed status Submission #123 → Planned
2026-02-10 09:15 john@example.com Pushed to GitHub Issue #456 created
2026-02-09 16:45 alice@example.com Posted comment Submission #789
2026-02-09 14:20 jane@example.com Created survey "Q1 NPS Survey"

Filter by:

  • Date Range — Last 7 days, 30 days, or custom
  • User — Show activity for a specific team member
  • Action Type — Status changes, comments, surveys, etc.

Activity logs are retained for 90 days.

Audit Logs (Owners Only)

Owners have access to the full audit log, which includes security-relevant actions:

  • Team Changes — Invitations sent, members added/removed, roles changed
  • Settings Changes — Org name, branding, API keys, GitHub integration
  • Data Access — Who viewed sensitive data (e.g., user emails, survey responses)
  • Authentication Events — Logins, MFA setup, password resets

Navigate to Admin → Settings → Audit Log to view.

Audit logs are append-only (cannot be deleted) and retained for 2 years for compliance (SOC 2, ISO 27001).

Transferring Ownership

To transfer ownership to another team member:

  1. Navigate to Admin → Team
  2. Click Transfer Ownership (next to your name)
  3. Select new owner from dropdown (must be an existing Admin)
  4. Confirm transfer

You are demoted to Admin role, and the new owner has full control.

Offboarding Checklist

When removing a team member:

  1. Remove them from Admin → Team
  2. Revoke API keys they created (if any)
  3. Review audit logs for their recent activity
  4. Update GitHub integration if they were the connected account
  5. Optionally notify remaining team members

External Collaborators

Canviq does not currently support guest access or external collaborators. All team members must have full accounts.

For temporary access (e.g., contractors), create a Member account and remove them when the contract ends.

What's Next