AACsearch
Dashboard & Operations

Members & Roles

Invite members, assign roles, manage seat usage, transfer ownership, and understand the permission model in the dashboard.

The Members page at /[orgSlug]/settings/members is where you control who can access your AACsearch workspace and what they can do. The permission model is role-based and lives at the organization level — every membership ties a user to an org with exactly one role.

Roles

AACsearch has four roles. They are ordered from most to least privileged.

RoleCan do
ownerEverything an admin can, plus: transfer ownership, change billing plan, delete the organization. Exactly one owner per org at all times.
adminInvite/remove members (any role except owner), create/delete indexes, manage API keys, edit relevance settings, run reindex, manage connectors, view audit logs, manage billing (except plan change and deletion).
memberRead all dashboard data, run searches in the Playground, view analytics, read the audit log. Cannot create/delete indexes, create/revoke API keys, change relevance settings, or invite users.
viewerRead-only access to overview, analytics, audit log, and members list. No write actions anywhere. Useful for stakeholders who need visibility without operational privileges (e.g. product managers, auditors).

Roles are enforced by oRPC middleware in packages/api/orpc/procedures.ts:

  • publicProcedure — no role required (login/signup, public docs widget).
  • protectedProcedure — any logged-in user.
  • protectedProcedure.use(requireOrgRole("admin")) — admin or owner only.
  • adminProcedure — platform admin (separate from org admin; see Plans & Limits).

Server checks are authoritative. UI hiding of a button is convenience only — every action revalidates the role on submit.

Inviting a member

From /[orgSlug]/settings/members:

  1. Click Invite member.
  2. Enter the invitee's email address.
  3. Pick a role (default: member).
  4. Click Send invite.

The invitee receives an email with a one-time link valid for 14 days. They:

  • Click the link.
  • Sign in or create an account (Better Auth handles password, OAuth, passkey).
  • Land on the organization with the role assigned at invite time.

The invite is recorded in the audit log (add_member action) at the moment the invitee accepts, not at send time.

Bulk invite

For larger team rollouts, paste a comma- or newline-separated list of emails into the invite dialog. All addresses are sent the same role. Invalid addresses are flagged with a row-level error and not sent.

There is no CSV upload — bulk paste covers up to a few hundred addresses, which fits the seat caps of every paid plan.

Changing a member's role

From the members list, open the row actions menu and pick Change role. The new role takes effect immediately for new requests. In-flight requests already authorized continue to completion.

Owners cannot demote themselves. To hand off ownership, use Transfer ownership (below).

Audit trail

ActionWhen emitted
add_memberInvite accepted
remove_memberMember removed (any role)
change_member_roleRole changed (with old/new in details)

Removing a member

From the row actions menu pick Remove from organization. The member loses access immediately. Their personal account is untouched — only their membership in this org is revoked.

Removing a member does not revoke API keys they created. Treat API key audit separately:

  1. Review keys created by the leaving member (filter the audit log by userId + create_api_key).
  2. Revoke any key that should no longer exist (see API Keys).
  3. Document the rotation in your access-review log.

Transferring ownership

Only an owner can transfer ownership. From the members list, open the row actions on another admin and pick Transfer ownership.

  1. The current owner confirms the transfer with their password (re-auth gate).
  2. The target user is promoted to owner.
  3. The current owner is demoted to admin.

There is always exactly one owner. The promotion + demotion happens atomically.

If the current owner has left the company and no other owner exists, contact support — platform admins can reassign ownership via /admin/organizations.

Seat usage

Every paid plan has a seat cap (maxSeats). The members list shows Active members: N / cap at the top. Seat counting rules:

  • Owners, admins, members, and viewers all consume a seat.
  • Removed members free a seat immediately.
  • Pending invites do not consume seats — only accepted invites count.

When you reach the cap, the Invite button is disabled with a tooltip explaining the limit. Upgrade or remove inactive members to free seats.

See Plans & Limits for per-plan seat caps and overage behavior.

Service accounts

There is no dedicated "service account" entity. For server-side automation that should not be tied to a human:

  1. Create a shared mailbox (e.g. aacsearch-bot@yourcompany.com).
  2. Invite it as a member (or admin if it needs write actions on indexes).
  3. Use API keys (ss_search_*, ss_connector_*) for actual data-plane traffic — keys do not consume seats and can be created by any admin.

Most automation should use API keys rather than membership. Membership is only needed when the bot must drive the dashboard UI itself (rare).

SCIM (enterprise)

Enterprise plans support SCIM 2.0 provisioning. When SCIM is enabled, identity is mirrored from your IdP (Okta, Entra ID, Google Workspace):

  • Users are auto-provisioned on first sign-in if they belong to a mapped group.
  • De-provisioning in the IdP revokes the AACsearch membership.
  • Role mapping is set in the IdP group → AACsearch role table at /admin/scim.

SCIM endpoints live at /scim/v2/ and are documented in API Reference → SCIM. Plan availability: enterprise only — see Plans & Limits.

Common scenarios

"I want a contractor to fix relevance settings for two weeks"

Invite them as admin. After two weeks remove them. Audit the audit log for any keys they created and revoke them.

"Our product manager wants to see analytics but I don't want them to delete anything"

Invite them as viewer. They get read access to overview, analytics, and audit log. They cannot run reindex, edit relevance, or touch keys.

"Our oncall engineer should be able to run reindex but not change billing"

Invite them as admin. Only owner can change the billing plan or delete the org.

"We need to rotate the owner because the founder is leaving"

Transfer ownership to the incoming owner before the founder loses access. After the transfer the founder can be removed safely.

  • Dashboard Overview — what the org overview screen shows and where the data comes from.
  • API Keys — programmatic access independent of membership.
  • Audit Logs — track every membership change.
  • Plans & Limits — per-plan seat caps and enterprise SCIM.

Import Jobs

Bulk import history, JSONL payload shape, error handling, and how import jobs relate to the ingest buffer and quota.

Audit logs (dashboard)

Find, filter, and export the audit log from inside the dashboard — and worked examples for incident review.

On this page

RolesInviting a memberBulk inviteChanging a member's roleAudit trailRemoving a memberTransferring ownershipSeat usageService accountsSCIM (enterprise)Common scenarios"I want a contractor to fix relevance settings for two weeks""Our product manager wants to see analytics but I don't want them to delete anything""Our oncall engineer should be able to run reindex but not change billing""We need to rotate the owner because the founder is leaving"Related