Team management

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 4 min read

TL;DR

Invite up to 10 team members on Business (3 on Growth, 1 on Starter). Four account-level roles plus four workspace-scoped roles. Pending invites expire after 7 days. Full audit log per member. Two-factor auth optional, required on Enterprise.

Team capacity per plan

Plan	Team members	Workspaces
Free	1	1
Starter	1	2
Growth	3	5
Business	10	15
Enterprise	Unlimited	Unlimited

If you need more seats than your plan offers, upgrade or contact sales.

Two role layers

Distinct from each other:

Account-level roles. Apply across all workspaces in your account.

• Account Owner. Created the account. Single owner. Full control.
• Account Admin. Can manage all workspaces, billing, team. Multiple allowed.
• Account Member. Standard team member. Workspace-scoped roles further constrain.
• Account Viewer. Read-only across the account.

Workspace-scoped roles. Apply per-workspace, layered on top.

• Workspace Owner. Full workspace control. Default: account-owner.
• Workspace Admin. Configure settings, integrations, skills. Can't delete.
• Workspace Editor. Knowledge Hub + Conversations write access. No settings.
• Workspace Viewer. Read-only.

A user can be Account Admin but Workspace Viewer for a specific workspace. Granular control.

Inviting a team member

Five clicks:

1. Open Dashboard > Team Management > Invite.
2. Enter email.
3. Pick account-level role.
4. Pick per-workspace roles (one row per workspace).
5. Send invite.

The invitee gets an email with a signup link. Link expires in 7 days.

Once accepted:

• Invitee creates an AskVault password (or logs in via Google OAuth).
• Account auto-verifies (no separate email verification needed; the invite verified it).
• They land in the workspace.

Invite-acceptance rate: about 70 to 85% within 24 hours.

Pending invites

The team page lists:

• Email.
• Invited at timestamp.
• Expires at (7 days from invite).
• Resend button.
• Cancel button.

Resend if the original email got lost. Cancel if you changed your mind.

Changing a member's role

Two-click change:

1. Click the member's row.
2. Update account-level or per-workspace role.
3. Save.

Role change applies within 30 seconds. The member's next API call honors the new role. The dashboard's UI also reflects it on next page load.

Removing a team member

Three steps:

1. Open the member's profile.
2. Click "Remove from account".
3. Confirm.

Removal:

• Revokes all sessions within 30 seconds.
• Disables all the member's API keys.
• Preserves their authored conversations and notes for audit; reassigns to "[Removed user]" attribution.
• Doesn't delete contact data or knowledge sources they uploaded.

If the removed member was a sole admin of a workspace, you must promote another admin first to avoid orphaning.

Workspace-scoped pools

For role-specialization patterns:

• Billing agents. Members with workspace-Editor role plus the billing tag.
• Senior agents. Workspace-Admin role plus senior tag.
• Engineering on-call. Workspace-Editor plus engineering tag.

Automation rules can route conversations to specific pools. See also claim conversations.

Multi-factor authentication

Optional but recommended:

• TOTP authenticator (Google Authenticator, 1Password, Authy).
• SMS backup for recovery (if TOTP device lost).

Enable per-user under Account Settings > Security > Two-Factor Auth.

On Enterprise, 2FA can be required workspace-wide. Members without 2FA can't sign in until they set it up.

Single Sign-On (SSO)

For Enterprise accounts requiring SSO:

• SAML 2.0 (Okta, Azure AD, OneLogin, etc.).
• OIDC (Google Workspace, Auth0, custom IdP).
• JIT provisioning auto-creates user accounts on first SSO login.
• SCIM for automated user lifecycle (planned).

Configure under Account Settings > Security > SSO. Available on Enterprise plans.

When SSO is required:

• Email + password login disabled for the team's domain.
• All members must come through the IdP.
• Off-boarding is automatic when the IdP removes the user.

Audit log per member

For each team member:

• Last login timestamp and IP.
• Conversations claimed and resolved.
• Knowledge edits.
• Settings changes.
• API keys created or rotated.
• Skill configuration changes.

Visible under Team Management > [member] > Audit. Retained 365 days standard, 6 years Enterprise.

Useful for compliance audits and offboarding reviews.

Role permissions matrix

What each role can do:

Action	Owner	Admin	Editor	Viewer
View dashboard	Yes	Yes	Yes	Yes
View conversations	Yes	Yes	Yes	Yes
Reply to conversations	Yes	Yes	Yes	No
Edit knowledge	Yes	Yes	Yes	No
Configure skills	Yes	Yes	No	No
Manage integrations	Yes	Yes	No	No
Invite team members	Yes	Yes	No	No
Manage billing	Yes	No	No	No
Delete workspace	Yes	No	No	No

Custom roles available on Enterprise.

Sample team structure

A typical mid-size support team:

• 1 Account Owner. CEO or VP.
• 2 Account Admins. Head of support, Head of operations.
• 5 Account Members with Workspace Editor. Frontline support agents.
• 2 Account Members with Workspace Editor + senior tag. Senior agents (escalation handlers).

Plus, for cross-functional access:

• 1 Workspace Viewer. Marketing reviewing customer sentiment.
• 1 Workspace Viewer. Engineering monitoring sentiment for product issues.

Total: 10 seats (Business plan limit). Larger teams need Enterprise.

Self-service offboarding

When an employee leaves:

1. Open Team Management.
2. Find the member.
3. Click Remove.
4. All access ends within 30 seconds.

For broader offboarding (Slack revoke, GitHub revoke, etc.), AskVault is one stop in your IT runbook. Consider scripting via the Team API.

Planned features (on the roadmap)

Documented for accuracy:

• SCIM provisioning. Today, manual invites or SSO JIT. SCIM 2.0 for automated lifecycle planned.
• Custom roles. Today, fixed roles. Granular permission rules per role planned for Enterprise.
• Team templates. Today, manual setup. Pre-built team templates (support team, sales team, internal helpdesk) planned.
• Audit log export. Today, view in dashboard. Native export to SIEM (Splunk, Datadog) planned.

Limits

• Team members per account. Plan-dependent (1 to 10 plus unlimited Enterprise).
• Pending invite expiry. 7 days.
• Role changes per minute. 10 (rate-limited to prevent accidental mass-changes).
• Audit retention. 365 days standard.

Common pitfalls

Invite never received. Check spam. If still missing, cancel and resend.

Member sees too little. Workspace-scoped role too restrictive. Bump to Editor for full conversation access.

Member sees too much. Workspace-scoped role too permissive. Lower to Viewer for read-only.

Removed member can still log in briefly. Active sessions persist up to 30 seconds. After that, they're bounced to login. Force-immediate logout via the audit log if needed.

Sole admin removed. Workspace orphaned. Promote another admin first.

FAQ

Can a single user be in multiple accounts?

Yes. Same email can be invited to multiple accounts. The user picks which account at login.

What happens to an invitee's data if they don't accept?

Nothing. No account is created until acceptance. Pending invites carry no data.

Can I bulk-invite via CSV?

Today, no native bulk-invite. Use the Team API to loop through emails. CSV bulk-invite is planned.

Does the team count include API-key-only service accounts?

Today, API keys are not counted as team members. Each key is an anonymous service principal. Named service accounts are planned.

Can I export team activity for HR or compliance?

Yes via Audit Log Export under Account Settings > Audit Log.

Related guides

• Login and signup
• Google OAuth login
• Workspace settings
• Audit and compliance
• Account deletion

See RAG-grounded answers in action

Every AskVault answer is grounded in the source documents you upload. Never hallucinated.

Try AskVault Free → Read the API docs

Was this page helpful? Yes No