// features.users

Users & roles

Who can do what in your tenant — and how the NDA + audit layers make it provable.

This page focuses on the human side: the four roles, the invite flow, the permissions matrix as it applies to members of your board. For the full picture — human roles + agent API-key scopes + per-resource visibility in one reference — see Platform → Permissions.

Roles

Three built-in roles, assigned at invite time and changeable by any ADMIN. A user has exactly one role per tenant; a human who's on multiple boards may hold different roles in each.

Role	Typical use	Scope, summarised
`ADMIN`	Founder, CEO, CFO, executive assistant	Full read + write, can invite / promote / demote, can rotate NDA, can see audit
`MEMBER`	Board member, investor	Read everything in scope, vote on resolutions, acknowledge updates, RSVP meetings
`OBSERVER`	Advisor, early investor with observer seat	Read-only; can't vote, doesn't count toward quorum

Permissions matrix

Surface	ADMIN	MEMBER	OBSERVER
Updates — read	✓	✓	✓
Updates — publish / edit	✓	—	—
Resolutions — read	✓	✓	✓
Resolutions — draft / open	✓	—	—
Resolutions — vote	✓	✓	—
Meetings — read / RSVP	✓	✓	✓
Meetings — schedule / minute	✓	—	—
Financials — read (visibility-gated)	✓	✓	✓
Financials — enter / restate	✓	—	—
Users — invite / promote / demote	✓	—	—
NDA — manage / rotate	✓	—	—
Audit log — read	✓	—	—
Branding / white-label	✓	—	—
API keys — issue / revoke	✓	self only	—

Invite flow

An ADMIN opens Settings → Members, enters the invitee's email, picks a role.
The invitee receives an email with a magic link. Clicking the link opens a confirmation page (protection against email scanners that follow links eagerly) where the invitee explicitly confirms the sign-in.
First-time invitee? They hit the NDA acceptance flow next — scroll through the current NDA version, type their full legal name, click sign. IP and device get logged.
Pick a display name, a timezone, and accessibility preferences (see Accessibility). Drop into the dashboard.

No passwords by default

BoardHerald is magic-link-first. There's no password field on the sign-in page by default. A fallback password path exists for people whose email is unreliable — see Platform → Sign-in.

Invited somewhere else already?

The same email can be a member of any number of BoardHerald organizations. If an invitation arrives for an email that's already signed in somewhere, the new invitation also shows up as a pending entry in the tenant switcher dropdown — accepting it there takes one click and doesn't require signing out of anything first.

Promoting / demoting

Any ADMIN can change another user's role (except their own — demoting yourself requires another ADMIN to confirm, to avoid accidentally locking the tenant out). Every role change writes a role.changed event to the audit log with the before / after values and the admin who made the change.

Service accounts + API keys

API keys are issued against a human user, not a separate "service account" identity. The key inherits the user's role ceiling (a MEMBER can never issue a key with ADMIN-only scopes). Humans manage their own keys under Profile → API Keys; ADMINs see every key in the tenant and can revoke any of them from Settings → API Keys.

This design means accountability sits with a human for every agent action. An agent that writes an update writes it "by Sidney via claude-desktop-laptop" — not "by some opaque bot account". See Agents — Capabilities for the persona bundles.

Access groups

Roles are orthogonal to access groups. A role sets the ceiling for what a user can do; an access group gates which sensitive surfaces they can see inside that ceiling. A MEMBER without an access group is a regular board member; the same MEMBER with an access group toggled on sees more. Admins hold every access group implicitly and don't need explicit grants.

Two access groups ship today:

FINANCE — unlocks /financials. That surface holds both the published financial updates (the encrypted HTML reports) and the KPI card grid at the top of the page. A member without FINANCE doesn't see the link in the nav and a direct URL hit redirects to /updates.
INVESTOR — unlocks KPIs marked INVESTOR_ONLY inside the FINANCE surface. Use it for metrics the investor audience on the board should see but not the rest. Does not imply FINANCE — grant both if the investor should also see financial reports. A member with INVESTOR but not FINANCE still can't reach /financials at all.

Admins toggle access groups on a user at Admin → Users → [user] or at invite time on the Users list. Grants are audit-logged, revocable at any time, and propagated to in-flight agent keys on the next request (keys inherit the human's ceiling, see above). The MCP equivalents are users_grant_access + users_revoke_access, both accepting FINANCE or INVESTOR as the group.

NDA gating

Role is necessary but not sufficient. A member who hasn't signed the current NDA version sees the NDA acceptance page and nothing else — regardless of role. When you rotate the NDA (publish a new version), every member is bounced back to the acceptance flow on their next sign-in. See Platform → NDA.