User Management

This page documents what is supported today for user lifecycle management.

Current Behavior

• AccessLedger uses email/password login.
• Users are scoped to one organization.
• One email can belong to one organization.
• Permissions are role-based (admin, approver, auditor, user).
• New organizations can self-serve signup from the login page.
• Password reset is available through Forgot your password?.

Tenant User Management

Admins can manage users in Settings -> Users:

• Invite users: generates a token link (expires based on server configuration, default 24 hours).
• Change roles: update role assignments inline.
• Deactivate users: disables login but keeps the user visible in the tenant.
• Delete users: hides the user from the tenant UI (retained in the database for audit).

If an invited email already exists, AccessLedger prompts the user to sign in instead.

See Roles and Permissions for role capabilities.