Organisation settings, members, and invites
Organisation Settings are for workspace owners and admins who manage identity, membership, workflow defaults, groups, invite policy, Agent policy, and active-organisation data exports.
Members without admin permission can view organisation context and membership information, but they cannot change organisation settings, roles, invites, groups, or managed profile fields.
The first registered user bootstraps the deployment. That first account becomes the first organisation owner and is marked as a server admin. After that, self-registration requires an invite unless the person already has a valid organisation invitation.
Organisation identity
Organisation identity appears throughout the app shell, settings pages, and member workflows.
Admins can manage:
- Organisation name.
- Organisation logo.
- Active workflow mode.
Use a clear company or workspace name. The logo should be a simple image that remains legible at small sizes.
Workflow mode
Workflow mode changes the operating style used by the workspace.
| Mode | Use when |
|---|---|
| Founder | One founder or a very small leadership group is operating directly. |
| Organization | A larger team needs shared ownership, roles, groups, and project access. |
Changing workflow mode does not remove existing data. It changes defaults and the way the workspace presents operating flows.
Members and roles
Organisation roles define administrative capability inside the active organisation.
| Role | Typical responsibility |
|---|---|
| Owner | Accountable for the organisation and full administration. |
| Admin | Manages members, groups, invites, settings, and project administration. |
| Member | Works in the organisation according to project and scope access. |
Admins can edit a member's name, title, profile image, role, and group assignment. They can also lock first name, last name, and title so the member cannot change those fields from User Settings.
Use owner sparingly. Use admin for people who should manage workspace membership and access. Use member for normal contributors.
The Members tab is also where admins invite new people. Use the Invite action to open the invite dialog without leaving the member list.
Profile locks
Profile locks are useful when identity data must match HR, legal, or customer-facing records.
Admins can lock:
- First name.
- Last name.
- Title.
When a field is locked, the member sees it as managed by an organisation admin. Organisation admins can still update locked fields.
Invites
Invites are the normal way to add people after bootstrap.
An invite can include:
- Email address.
- Role.
- First name and last name.
- Title.
- Initial group.
- Expiration period.
If an invite includes an email address, only that email can accept it. If first name, last name, or title are supplied on the invite, they become managed values when the invite is accepted.
The default invite expiration is configured from the invite dialog in Organisation Settings. It must be between 1 and 90 days.
Invite URLs include a token. Send them only through approved channels, and revoke stale invites when a person no longer needs access.
Organisation authentication
When the server is running in OIDC mode with organisation-managed authentication enabled, organisation admins can configure LDAP, SAML, or upstream OIDC sign-in from the Authentication tab.
Use Organisation authentication provider setup for step-by-step provider instructions, including where to find Google Workspace client IDs, Microsoft Entra metadata URLs, Okta metadata, LDAP DNs, and generic SAML/OIDC values.
Groups
Groups let admins grant the same project access to several people at once. A group has a name, optional description, and member list.
Use groups for stable teams such as Leadership, Product, Engineering, Customer Success, or External Reviewers. Use direct project grants for one-off exceptions.
When a member is removed from a group, they lose access that came only from that group. They may still retain access through organisation admin status, open project visibility, direct project grants, or another group.
Data export
The Data tab downloads a JSON file for the active organisation context. It is designed for portability, audit review, and support investigation.
The export includes operational records such as raw events, docs, doc revisions, memory, snapshots, tickets, task activity, commitments, daily sessions, proposals, decisions, and risks. Some records are scoped to the current user, while shared work can include organisation or project records you are allowed to read.
Exports can contain sensitive business data, including customer context, strategy, uploaded-file references, AI outputs, internal decisions, risks, and ticket history. Treat exported JSON as confidential company data and store it only in approved locations.
Agents
Organisation admins can use the Agents tab to restrict or tune AI behavior for the whole workspace.
Organisation settings sit below the server baseline and above project and user preferences:
- If the organisation disables an Agent, project and user settings cannot turn it back on.
- If the organisation sets a schedule, projects and users inherit it unless they configure a more specific schedule.
- If the organisation clears an override, the effective value falls back to server settings or the Agent default.
This is the right place to disable a workspace-wide Agent such as chat, docs memory review, or ticket conflict scans without affecting other organisations on the same server.
See Agent configuration for Agent keys, schedule options, and examples.
Operational review
Review membership and groups regularly:
- Remove stale members.
- Lower roles when admin access is no longer needed.
- Rotate invite links that were shared broadly.
- Confirm profile locks still reflect current policy.
- Audit restricted project grants after team changes.