Team Management#
Zaphod Beeblebrox had two heads and three arms, yet he still had to delegate some things. So do you. As your company grows — or when you just get tired of running everything alone — you invite your team to the panel. The accountant sees invoices, the tech team handles servers, and you sip your coffee in peace.
Team Management lives at Settings → Team. Only managers (owner and admin) can see it — because deciding who gets invited is about as consequential as deciding who picks up the tab at the Restaurant at the End of the Universe.
Role Definitions#
Every member has a role. The role determines what the user can see in the panel and what they can ask Morpheus AI to do.
| Role | What they can do | Who it's for |
|---|---|---|
| Manager (Owner) | Everything. Godlike powers. | The company founder / first registered user |
| Manager | Everything (except owner-only things). | Trusted teammates |
| Technical | Servers, VPS, domains, DNS, support tickets | Sysadmins, DevOps |
| Billing | Invoices, payments, contracts, quotes | Accountants, finance team |
| Read Only | Everything visible, nothing changeable | Managers, auditors |
| QSA / Auditor | Compliance and audit log only | External audit firms, PCI-DSS QSAs |
Owner is special
There can only be one Owner per company — the role can't be deleted or changed. It's like a Babel fish; without it, communication stops. If you need a second manager for teamwork, assign the Manager role — they can do everything (including inviting new managers).
Inviting a Member#
- Go to Settings → Team
- Fill in the Invite New Member form at the bottom:
- Email — the person's work email
- Role — pick from the table above
- Send Invite — the invitation link goes out via email
The invite is valid for 7 days. The invited person clicks the link, logs in (or creates an account automatically if they don't have one), and joins the team. Even though the Hitchhiker's Guide says "Don't Panic," pressing the orange Accept button is all it takes.
Emails already active elsewhere
The same email address can't be an active member in multiple companies at the same time. One person can't be the accountant at Company A and technical at Company B simultaneously. It's a feature, not a bug — some rules of the galaxy work that way.
Member Limits#
Maximum member count varies by your company plan:
| Plan | Maximum Members |
|---|---|
| Standard | 5 |
| Premium | 10 |
| Enterprise | 15 |
| PCI-DSS / ISO 27001 | 25 |
You can't send invites once you hit the limit. Contact support to upgrade your plan.
Changing Roles and Removing Members#
In the active members list, each row has a role dropdown and a red "remove" icon.
- Change role: Pick the new role, confirm the dialog. The member's access updates instantly.
- Remove member: Click the red icon. The member can no longer access the panel, but their records (tickets created, actions taken) are preserved — audit log keeps the trail.
Changes apply instantly
When you change a role or remove a member, their active browser session picks up the new permissions on the next page load. A 500ms delay is acceptable — compared to Deep Thought's seven and a half million years.
Join Requests#
Users who register with a company email but haven't received an invite can send a Join Request if they know your tax number. These appear at the top of the Team page under Pending Join Requests.
For each request: 1. Read the user's email and any note 2. Pick the role to assign 3. Approve and Add or Reject
Approving adds the user to your company with the chosen role. Rejecting closes the request and the user is allowed to send new ones (max 3 per 24 hours).
When is a join request useful?
An employee registered to the hub on their own and wants access without waiting for you. Or a new teammate knows the company tax number and is being proactive. Either way, the decision is yours — you say "yes, I know this person" and pick their role. No Vogon bureaucracy, just one button.
Morpheus AI and Permissions#
Morpheus behaves according to your team member's role. When a billing user says "restart the VPS," Morpheus tells them "you don't have permission for this, check with your admin" — because permissions apply not just to the panel menu, but to the AI assistant as well.
Three layers of protection:
- Visibility filter — Morpheus isn't even told about forbidden tools. The accountant can't ask Morpheus for VPS tools, because Morpheus doesn't know them.
- Protocol validation — the Anthropic API rejects calls to tools not in the declared list.
- Runtime gate — every tool call passes a final permission check before executing. If permission is missing, it returns
PERMISSION_DENIED.
When permission is denied
When Morpheus says "you don't have permission for this," asking the same thing in different words won't help. Don't mistake Morpheus's stubborn politeness — it's not lying, you actually don't have permission. Tell your company admin to update your role.
Advanced: Custom Permissions#
Every role has a default permission set, but you can grant additional permissions on top. For example, the billing role doesn't include add/remove card by default (PCI-DSS sensitivity). If needed, you can edit the member and manually add billing.cards_manage.
Permissions are grant-only — you can't remove permissions from a role, only add. If you need to restrict, pick a narrower role.
Granting extra permissions is a responsibility
Granting VPS management to a billing user is technically possible but semantically odd — why would your accountant restart a server? Leaving roles alone also protects job boundaries. As Marvin put it: "Brain the size of a planet, and you tell me to be an accountant." A role isn't just permissions, it's identity.
FAQ#
Q: Can I change the owner? A: Not right now. The owner role is tied to the company founder. If you need to transfer, contact support — it's a manual process.
Q: Can I temporarily pause a member? A: Yes, instead of remove you can switch their role to Read Only. Or to fully freeze access, remove them and re-invite when needed.
Q: Why does QSA only see compliance? A: QSA (Qualified Security Assessor) is an external auditor. They don't need to see your internal data; they only check compliance documents and the audit trail. Privacy by default.
Q: Is two-factor authentication (2FA) mandatory for the team? A: Currently each user enables 2FA for themselves. Team-wide mandatory 2FA is on the roadmap — coming in a future round.