Team & Role Management
The Team page is where organisation administrators manage user accounts, assign roles, and configure access control for VeriProof features.
Available roles:
| Role | Access level | |---|---| | Admin | Full access — settings, billing, SSO, all data | | ComplianceOfficer | Read all dashboards; generate evidence; manage frameworks | | GovernanceEngineer | Create/edit rules, evaluate datasets, manage vocabulary | | Developer | SDK config, API keys, webhook setup; no production data access | | ReviewAccess | Review queue adjudication and journey view content access | | Viewer | Read-only access to portfolio, analytics, and decisions |
Inviting a user:
- Click Invite user and enter their email.
- Select their role from the dropdown.
- Click Send invitation. They receive an email with a sign-in link.
If SSO is configured, users are provisioned automatically on first sign-in via the IdP group → role mapping. Manual invitations are still supported for users outside your IdP.
Modifying a role: Click the user row and select a new role. The change is effective immediately.
Removing a user: Click the user row → Remove user. Their sessions are invalidated immediately. API keys issued to that user are revoked.
Roles & Permissions (RBAC)
Veriproof uses role-based access control (RBAC) to restrict portal features to the users who need them. Every user in your tenant has exactly one primary role set at invitation time.
Only the CustomerAdmin role can manage role assignments. The tenant must always have at least one active CustomerAdmin — the system blocks removing the last admin.
The Six Customer Roles
CustomerAdmin
Full administrative access to the tenant. The CustomerAdmin can:
- Invite, deactivate, and manage all users
- Assign and revoke roles for any user
- Create, update, and delete applications
- Configure SSO, webhooks, notification channels, and API keys
- Set cost budgets and spend alerts
- Initiate data deletion and purge workflows
- View all audit logs and compliance reports
- Generate evidence packages and sign off on session reviews
CustomerDeveloper
Focused on SDK integration, trace tooling, and AI application development. A Developer can:
- Register and manage AI applications
- Generate and rotate application API keys
- Configure SDK adapters and trace settings
- View full session traces and use the Time Machine
- Run experiments in the Prompt Playground
- Create and manage evaluation datasets
- View SDK Health and adapter diagnostics
- View and configure alert rules for their applications
Restrictions: read-only access on Production applications — cannot activate rule changes or configuration updates in Production without an Admin or Compliance Officer approval. Cannot manage users, billing, or compliance engagements.
CustomerGovernanceEngineer
Focused on governance model configuration and rule authoring. A Governance Engineer can:
- Draft and test metric rules and Rego policy rules across all environments
- Submit Production rule or configuration changes for Admin / Compliance Officer approval
- View and compare rule template versions
- View all session traces, dashboard analytics, and governance trends
- Access SDK Health and adapter diagnostics
- View vocabulary browser and evaluation datasets
Production write restriction: A Governance Engineer can author and activate rules in Sandbox and Development environments without approval. Production changes require an explicit approval from a CustomerAdmin or CustomerComplianceOfficer via the change-control workflow. This role was previously labelled Platform Engineer in early access; documentation and support tickets may still use that name.
CustomerComplianceOfficer
Focused on governance and evidential operations. A Compliance Officer can:
- Review and approve/reject session annotations
- Generate governance reports and evidence packages
- Manage GDPR erasure requests and legal holds
- View compliance scores, policy configurations, and audit trails
- Schedule automated compliance report exports
- Access AI Act, NIST AI RMF, and HIPAA/SOC 2 dashboards
Cannot invite users, change billing settings, or modify SSO configuration.
CustomerBusinessOwner
Focused on business metrics and cost oversight. A Business Owner can:
- View dashboards, analytics, and ROI reports
- Create and manage cost budgets and spend alerts
- View session volume trends and plan usage
- Access Business Outcome and DVR portfolio summaries
Cannot view session-level evidence, governance details, or manage users.
CustomerAuditor
Read-only access plus participation in formal audit engagements. An Auditor can:
- Browse sessions, applications, dashboards, and compliance scores (read-only)
- Access active audit engagements assigned to them
- Submit attestations against compliance controls
- Sign evidence packages during an engagement period
- Access auditor-specific evidence views
This role is typically assigned to external auditors or internal audit staff. It was previously labelled CustomerViewer — the legacy alias is still accepted in the API and SSO claim mappers for backward-compatibility, but all new assignments should use CustomerAuditor.
Role Permissions Matrix
| Capability | Admin | Developer | Gov. Engineer | Compliance Officer | Business Owner | Auditor |
|---|---|---|---|---|---|---|
| Invite / deactivate users | ✅ | — | — | — | — | — |
| Assign / revoke roles | ✅ | — | — | — | — | — |
| Configure SSO | ✅ | — | — | — | — | — |
| Manage API keys | ✅ | ✅ | — | — | — | — |
| Configure webhooks | ✅ | — | — | — | — | — |
| Create / delete applications | ✅ | ✅ | — | — | — | — |
| Configure SDK adapters & trace settings | ✅ | ✅ | ✅ | — | — | — |
| Draft rules (Sandbox / Dev) | ✅ | — | ✅ | ✅ | — | — |
| Draft rules (Production) | ✅ | — | ✅⁺ | ✅ | — | — |
| Activate rules (Production) | ✅ | — | — | ✅ | — | — |
| Initiate data deletion | ✅ | — | — | — | — | — |
| Manage cost budgets | ✅ | — | — | — | ✅ | — |
| View dashboards & analytics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View sessions (list) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View session evidence detail | ✅ | ✅ | ✅ | ✅ | — | ✅ |
| Use Prompt Playground | ✅ | ✅ | — | — | — | — |
| Manage evaluation datasets | ✅ | ✅ | — | — | — | — |
| Approve / reject session reviews | ✅ | — | — | ✅ | — | — |
| Manage GDPR erasure / legal holds | ✅ | — | — | ✅ | — | — |
| Generate evidence packages | ✅ | — | — | ✅ | — | ✅ |
| Schedule compliance reports | ✅ | — | — | ✅ | — | — |
| View audit logs | ✅ | — | — | ✅ | — | ✅ |
| Submit audit engagement attestations | — | — | — | — | — | ✅ |
| View plan and billing details | ✅ | — | — | — | ✅ | — |
⁺ Production draft requires approval. Governance Engineers can submit Production rule and configuration changes, but those changes enter a pending state until approved by a CustomerAdmin or CustomerComplianceOfficer.
Assigning a Role
Open User Management
Navigate to Settings → Members and click on the user’s name to open their profile.
Open Role Assignments
Click the Roles tab on the user profile page.
Grant a role
Click Assign role, select the role from the dropdown, and click Confirm.
The change takes effect immediately. The user’s next request to the portal will reflect the new role.
API
GET /v1/users/{userId}/role-assignments
POST /v1/users/{userId}/role-assignments
DELETE /v1/users/{userId}/role-assignments/{id}To grant a role via the API:
POST /v1/users/{userId}/role-assignments
Content-Type: application/json
{
"role": "CustomerComplianceOfficer"
}To list all role assignments across the entire tenant (CustomerAdmin only):
GET /v1/users/role-assignmentsRevoking a Role
You cannot revoke the CustomerAdmin role from a user if they are the last admin in the tenant.
- Open the user’s profile in Settings → Members.
- Click the Roles tab.
- Click the × next to the role you want to remove.
- Confirm the revocation.
Role revocation takes effect on the user’s next request. Any active browser session they have open will enforce the updated permissions without requiring them to log out.
Default Role for New Invitations
When inviting a new user, the system defaults to CustomerAuditor — the least-privilege role. Elevate the role during invitation (or afterwards) only when the user’s responsibilities require it.
Multiple Roles
A user can hold more than one role simultaneously. Role grants are additive — the effective permission set is the union of all granted roles. For example, a user with both CustomerViewer and CustomerAuditor has auditor-level access in addition to standard read access.
Most users only need a single role. Multi-role grants are primarily useful for external auditors who also need standard read-only access between engagements.