QEHSadmin guide
Users and roles
Invite users, assign roles, revoke access, and understand how the tenant-owner / tenant-admin / tenant-user / viewer tiers compose.
8 min read · 3 sections
The four built-in roles
| Role | What they can do | Typical use |
|---|---|---|
| tenant-owner | Everything — billing, settings, Composer, records, exports, delete tenant. | Exactly one per tenant, usually the buyer. |
| tenant-admin | Manage users, install modules, edit Composer, create records, view audit log. Cannot change billing or delete the tenant. | 2–5 per tenant (safety manager, IT admin). |
| tenant-user | Create, edit, comment on records. Limited Composer read-only. No settings access. | Most of your workforce. |
| viewer | Read-only on records they are a member of. No edit. No export. | Auditors, contractors, reviewers. |
Module-scoped roles
Beyond tenant-wide roles, each module exposes module-scoped roles (e.g. Inspections-admin, Incidents-reviewer). A user can hold tenant-user at the tenant level and module-admin on just one module.
Module-scoped roles are authored in the Composer under the Permissions tab. See Composer → Permissions for the full model.
Inviting, revoking, and deactivating
- Open /settings/members and click Invite.
- Enter one email per line. Each row accepts an override role.
- Click Send — each invitee gets a branded email with a 7-day signed link.
- Revoke pending invites from the "Pending" tab (link becomes invalid immediately).
- Deactivate (not delete) active users to preserve audit-log attribution. Reactivate at any time.