Collaborators
A Collaborator is a person who belongs to an Organization. Every Organization has at least one collaborator: the owner who created it. From there, the owner or admins can invite team members, assign roles, and control what each person can see and do.
Collaborators exist because B2B customers are not a single person. A company might need its CTO to manage licenses, its finance team to download invoices, and its project manager to open support tickets -- all under the same account, each seeing only what is relevant to their job.
The 4 roles
Every collaborator has one role. Roles follow a strict hierarchy -- higher roles can do everything lower roles can do, plus more.
| Role | Level | What they can do |
|---|---|---|
| Owner | 1 | Full access to everything. Manages the organization. Cannot be removed. |
| Admin | 2 | Manages team members: invite, remove, change roles and scopes. |
| Member | 3 | Access governed by assigned scopes. Sees only what scopes allow. |
| Guest | 4 | Minimal access. Typically limited to viewing shared documents. |
There is also a transient state called pending, which applies to collaborators who have been invited but have not yet accepted. Once they accept, they are assigned their intended role.
Owner immutability
The owner role has special protections:
- The owner cannot be deleted from the organization
- The owner cannot be downgraded to a lower role
- The owner has implicit access to all scopes (scope assignments are ignored)
- Ownership transfer is a dedicated admin operation -- it requires an intentional handoff to another member
RBAC scopes
Scopes control what a collaborator can access. A member with the finances scope can see invoices and tax documents, but cannot manage licenses. A member with the licenses scope can activate software, but cannot view financial records.
| Scope | What it controls | Typical role |
|---|---|---|
organization | View and update organization profile and settings | All members |
finances | View invoices, tax documents, payment status | Finance team |
orders | View order history and purchase details | Procurement |
licenses | View and activate software licenses, access downloads | IT / DevOps |
tickets | Create and view service requests | Support contacts |
quotes | View and accept commercial proposals | Procurement / managers |
contracts | View contracts and SLA terms | Legal / management |
documents | View and download shared documents | Any relevant member |
downloads | Download products linked to entitlements | IT / DevOps |
entitlements | View entitlements, environments, and services | Technical leads |
admin | Administrative operations (admin role only, grants all access) | Admins |
Scopes are additive: a collaborator with finances and orders can see both invoices and order history. A collaborator with no scopes assigned can log in but sees an empty dashboard.
The scope list is extensible. Developers can register custom scopes using a WordPress filter.
Scope limits
By default, each organization can have up to 5 collaborators with the tickets scope. This reflects the standard service terms ("5 support contacts per account"). The limit is configurable through the Policy Engine and can be adjusted per organization.
Invite flow
Adding a new collaborator follows this sequence:
Key details:
- Invite tokens expire after 7 days (configurable). Expired invites can be resent.
- If the email belongs to an existing WordPress user, the system links that user to the organization without creating a new account.
- If the email is new, the invite includes account creation.
- Bulk invites are supported -- multiple emails separated by commas, all receiving the same role and scopes.
- Admins can also choose from role templates (predefined scope combinations) to speed up configuration. For example, a "Finance" template might pre-select
finances,orders, andquotes.
What each role can do
| Action | Owner | Admin | Member | Guest |
|---|---|---|---|---|
| View organization details | Yes | Yes | Yes | Yes |
| Edit organization details | Yes | Yes | No | No |
| Invite collaborators | Yes | Yes | No | No |
| Remove collaborators | Yes | Yes | No | No |
| Change roles and scopes | Yes | Yes | No | No |
| Accept quotes | Yes | Yes | Scoped | No |
| View invoices | Yes | Yes | Scoped | No |
| Create service requests | Yes | Yes | Scoped | No |
| Manage licenses | Yes | Yes | Scoped | No |
| View documents | Yes | Yes | Scoped | Scoped |
| Transfer ownership | Yes | No | No | No |
"Scoped" means the action is available only if the collaborator has the relevant scope assigned.
What admins see
From the WordPress admin, the team management view for an Organization shows:
- Each collaborator's name, email, role, assigned scopes, and join date
- Status indicators (active, pending invite)
- Actions: edit role, edit scopes, resend invite, remove
The admin can also see across all organizations -- for example, finding a specific collaborator by email and seeing which organizations they belong to.
Related pages
- Organizations -- the company a collaborator belongs to
- Policies -- scope limits and notification preferences
- How Concepts Connect -- the full relationship diagram