> ## Documentation Index
> Fetch the complete documentation index at: https://ownpay.org/docs/llms.txt
> Use this file to discover all available pages before exploring further.

> ## Agent Instructions
> OwnPay is licensed under AGPL-3.0 and is completely free - no licensing fees.
> Production docs URL: https://ownpay.org/docs - append .md to any page URL for clean markdown.
> OwnPay requires PHP 8.3+, MySQL/MariaDB, and Redis.
> MCP server available at https://ownpay.org/docs/mcp for programmatic documentation queries.
> Use root-relative links (e.g. /quickstart) for internal navigation - do NOT include /docs prefix.
> Plugin development: consult /developer/plugin-types/ pages for correct interfaces and manifests.

# Staff Management - Add Team Members and Assign Roles

> Add team members, assign administrative roles, configure per-brand permission scopes, and monitor staff activity logs from the OwnPay admin.

The Staff page allows the super-administrator to invite team members and assign them to specific roles and brand scopes. Instead of sharing credentials, each staff member logs in using their own email, password, and optional two-factor authentication (2FA).

## Getting here

1. Log in to the OwnPay admin dashboard
2. Under the **PEOPLE** section in the left sidebar, click **Staff**

## Page sections

### 1. Staff members table

Lists all administrative users configured under the active brand:

* **NAME:** Display name of the staff member
* **EMAIL:** Email address used for authentication
* **ROLE:** Assigned role type (e.g., Owner, Manager, or Support)
* **2FA:** Status of Two-Factor Authentication (displays `ON` or `OFF`)
* **LAST LOGIN:** Timestamp of the user's last login
* **STATUS:** Account status (`active` or `suspended`)
* **ACTIONS:** Click **Edit** to update details, reset passwords, or suspend access

### 2. Add staff member panel

Accessed by clicking the **+ Add Staff** button:

* **Name / Email / Password:** Authentication credentials
* **Role Dropdown:** Select the role definition to assign
* **Permissions Checkbox Grid:** Select specific permission nodes to override or assign to this user

## Fields and options reference

| Field Name      | Type       | Required | Description                                               |
| --------------- | ---------- | -------- | --------------------------------------------------------- |
| **Name**        | Text Input | Yes      | Full name of the staff member                             |
| **Email**       | Text Input | Yes      | Login email address                                       |
| **Password**    | Text Input | Yes      | Initial login password. Needs to be at least 8 characters |
| **Role**        | Select     | Yes      | Role definition maps default permissions                  |
| **Permissions** | Checkboxes | No       | Override checkboxes to grant specific permissions         |

## Step-by-step: creating a staff member

1. Click the **+ Add Staff** button in the header
2. Enter the member's **Name** (e.g., `John staff`) and login **Email** (e.g., `john.staff@example.com`)
3. Set a strong **Password** (e.g., at least 8 characters with numbers)
4. Select their **Role** (e.g., `Owner`)
5. Choose specific capability flags under the **Permissions** list if you need to restrict their access
6. Click **Create** to save

## Permissions resolution flow

When a staff user logs in:

1. The middleware resolves the user's role and retrieves default permissions
2. Any custom permission checkboxes checked under the user's profile override the role defaults
3. The user's sidebar and navigation options are filtered dynamically based on these permission flags. If they attempt to load a restricted page, the router returns a **403 Forbidden** error

## Best practices

* Require all staff members to enable Two-Factor Authentication (2FA) under their account profile settings
* Apply the *Principle of Least Privilege* by only ticking checkboxes for sections they need
* Do not share your primary Owner password with other staff members. Create a distinct account for each user
* Do not set weak default passwords when creating new staff accounts

<Warning>
  When creating a staff member, verify that their brand scoping is set correctly. Standard staff members cannot switch to other brands unless explicitly granted multi-brand access in their database profile.
</Warning>

## Common mistakes and troubleshooting

| Symptom                             | Cause                                     | Fix                                                                        |
| ----------------------------------- | ----------------------------------------- | -------------------------------------------------------------------------- |
| Staff cannot log in                 | Password not set or account not activated | Reset password via **People > Staff > Edit**                               |
| Staff cannot access certain pages   | Role permissions too restrictive          | Edit the staff member's role and enable the required permissions           |
| Staff locked out after enabling 2FA | Lost access to authenticator app          | Disable 2FA for the user from **People > Staff > Edit** (super-admin only) |
| Staff sees data from wrong brand    | Brand scoping not set correctly           | Verify the staff member's brand assignment in their profile                |

## Related pages

* [Roles and Permissions](/user-guide/people/roles) - Manage group permission mappings
* [My Account](/user-guide/account/my-account) - Set up 2FA and edit personal profiles
* [Audit Log](/user-guide/reports-finance/audit-log) - Monitor staff actions and log activity history


## Related topics

- [My Account - Profile Settings, Password, and 2FA](/docs/user-guide/account/my-account.md)
- [Roles and Permissions - RBAC for Admin and Brand Access](/docs/user-guide/people/roles.md)
- [Brands - Create and Configure White-Label Storefronts](/docs/user-guide/people/brands.md)
- [Customers - Profiles, Transaction History, and Methods](/docs/user-guide/people/customers.md)
- [Brands - Multi-Tenant Isolation for Payment Merchants](/docs/concepts/brands.md)
