Calafai Docs
Back to Platform

Team Management

Team Management

Overview

Groundtruth uses role-based access control (RBAC) to manage what each team member can do within your tenant. Roles are hierarchical -- higher-privilege roles inherit all capabilities of the roles below them.

Roles

Roles are listed here from highest to lowest privilege:

Owner

  • Full access to every feature in the platform.
  • Manages billing and subscription (see Billing).
  • Manages team members: invite, change roles, remove.
  • Can delete the tenant entirely.
  • Created automatically when you register a new account. The first user on every tenant is the owner.

Admin

  • Create, configure, and manage engagements.
  • Manage team members: invite new users, change roles, remove members.
  • View cost tracking and spend data.
  • Manage BYOK LLM keys (see Billing > BYOK).
  • Cannot access billing or delete the tenant.

Member

  • Create and run engagements.
  • View deliverables.
  • Upload files and attachments to engagements.
  • Cannot manage other team members.

Viewer

  • Read-only access to engagements and deliverables.
  • Cannot create, modify, or run anything.
  • Ideal for internal stakeholders who need visibility without edit capability.

Inviting Team Members

The invite form is located at the top of the Team section on the Settings page. It is an inline form with three fields:

  1. Email (required) -- The person's email address.
  2. Name (optional) -- Their display name.
  3. Role -- A dropdown to select the role: Admin, Member, or Viewer.

Click Invite to send the invitation. The platform creates a user record and sends a Supabase magic link to the invited email address. The recipient clicks the link to set up their account and is automatically added to your tenant with the assigned role.

Only users with the admin or owner role can invite team members.

Changing Roles

Admins and owners can change the role of existing team members. To change a role:

  1. Go to Settings > Team.
  2. Find the team member in the list.
  3. Use the role dropdown next to their entry to select the new role.

Constraints:

  • You cannot assign a role equal to or higher than your own. For example, an admin cannot promote another user to admin or owner.
  • The owner role cannot be changed. There is always exactly one owner per tenant.
  • Only the owner can promote someone to admin.

Removing Members

Admins and owners can remove team members from the tenant:

  • The owner cannot be removed.
  • You cannot remove yourself.
  • Removing a member revokes their access immediately.

To remove a member:

  1. Go to Settings > Team.
  2. Find the team member in the list.
  3. Click the Remove button next to their entry.

Team List

The team list on the Settings > Team page displays the following for each member:

ColumnDescription
NameThe user's display name (or email if no name set)
EmailTheir email address (shown below the name)
RoleA color-coded badge: violet (owner), blue (admin), green (member), gray (viewer)

The current user's row is marked with a (you) label so you can easily identify your own entry.

Role change and remove controls appear on the right side of each row, except for the owner row and your own row.

Key Details

  • Registration creates the first user as the owner. This happens automatically and cannot be changed.
  • Each tenant has exactly one owner at all times.
  • Role checks are enforced in middleware on every route, so users cannot access features beyond their role even if they navigate directly to a URL.
  • All team management actions (invite, role change, remove) are recorded in the audit log.
  • Billing -- only the owner can manage billing and subscription
  • Analytics -- dashboard access and quality scoring visibility

File Uploads

Previous Page

Troubleshooting

Next Page

On this page

Team ManagementOverviewRolesOwnerAdminMemberViewerInviting Team MembersChanging RolesRemoving MembersTeam ListKey DetailsRelated Guides