User Roles and Permissions Guide

This guide is for IT staff, change management teams, and project administrators who need to manage users, teams, and notebooks in Fieldmark. It covers role assignment, access control, and common administrative workflows.

Introduction

Who This Guide Is For

This guide is designed for:

  • Change management staff onboarding users and managing access

  • Project administrators setting up teams and notebooks

  • IT staff supporting Fieldmark deployments

If you’re looking to create notebooks or collect data, see the Quickstart Guide instead.

What This Guide Covers (and Doesn’t)

This guide covers:

  • Managing users at system, team, and notebook levels

  • Role assignment and access control

  • Common administrative workflows

This guide does not cover:

  • Template creation or management

  • Notebook design and form building (see Quickstart Guide)

  • Data collection and record management

  • API access and tokens

  • System configuration and Single Sign-On (SSO) setup

UI Patterns at a Glance

Before diving into procedures, here’s how management differs across the three areas:

Location

How to Add User

How to Add Role

How to Change Role

How to Remove

Users (system)

Create a global invite (Users → Invites tab)

Click “add” button in Roles column

Click × on role badge, then add new role

Click × on role badge (removes role only)

Teams → Users

Click “+ Add user” or go to Invites tab

Click “+” on existing member’s row

Click × on role badge, then add new role

Click × on role badge (removes role only), or trash icon (removes user from team)

Notebooks → Users

Go to Invites tab

N/A (one role per user)

Remove user, then re-invite with desired role

Click trash icon (removes user from notebook)

The Three-Tier Permission Model

Fieldmark uses a role-based permissions system to control access to different functions and data. The model centres around access to resources: teams, user accounts, templates, notebooks, and the system as a whole.

Roles are assigned at three levels:

Level

Controls

System

Global access and creation rights

Team

Access within a team and its resources

Notebook

Access to specific notebooks and records

The nearby diagram shows roles at each level and how team roles automatically grant corresponding notebook access (virtual roles).

Permissions Hierarchy Diagram showing System Level (Super User, Operations Administrator, Content Creator, General User), Team Level (Team Administrator, Team Manager, Team Member (Contributor), Team Member (Creator)), and {{Notebook}} Level (Administrator, Manager, Contributor, Guest) with arrows indicating virtual role inheritance from team to {{notebook}} roles. Sidebar shows virtual role inheritance and access sources. Warning callouts highlight that Operations Administrator has no data access and Team Member (Creator) has no automatic access to existing team {{notebooks}}.

What You Can Do As An Enterprise Administrator

As IT or change management staff, you have been provisioned with:

  • Super User system role — full system control, with inherited Administrator access to all teams and notebooks

⚠️ Recommendation: For routine operations (user management, team creation), use the Operations Administrator role instead. Super User is an emergency break-glass role that also grants full access to all research data.

This means you can:

User management:

  • View all system users and their roles

  • Add or remove system roles (General User, Content Creator, Operations Administrator, Super User)

  • Reset user passwords (for non-SSO configurations)

  • Remove user accounts

Team management:

  • Create new teams

  • Access and manage all teams

  • Assign Team Administrator roles to others (only Operations Administrator or Super User can do this)

Notebook management:

  • Access and manage all notebooks

  • Edit or close any notebook regardless of ownership

Note: If you cannot perform an action described in this guide, contact your system administrator to verify your role assignments.

What Operations Administrators Can Do

The Operations Administrator role handles routine system management without access to research data:

User and team management:

  • View all system users and their roles

  • Add or remove system roles

  • Create new teams

  • Assign Team Administrator roles

Cannot do (by design):

  • Access notebooks, templates, or research data

  • The Notebooks and Templates sidebar items are hidden from this role

Note: If you need both administrative control and notebook access, you need the Super User role.

What Typical Enterprise Users Can Do By Default

During onboarding, enterprise users are typically assigned:

  • Content Creator system role — they can create notebooks and templates

  • Team Administrator of their assigned team — they have full control over their team

These roles are granted through invites created by an Operations Administrator or Super User (see “How Users Are Created” below). Once onboarded, a typical user can immediately:

  • Create notebooks (stand-alone or within their team)

  • Invite users to their team and assign team roles

  • Invite users to notebooks they administer and assign notebook roles

  • Manage and update roles for their team members

Note: Users do not have the necessary privileges to create their own teams. Teams are typically created by a Super User or Operations Administrator during onboarding, and users are assigned as Team Administrator of their team via an invite.

What ‘General users’ Can Do

The most restricted access level is General User, which can:

  • List notebooks they have access to

  • List templates they have access to

General Users have to be granted access to a notebook directly (via notebook invite) or through relevant team membership to view or use it.

Managing System Users

The Users section shows all users in the system with their email addresses and system-level roles.

How Users Are Created

In an enterprise deployment, users are created through an invite-based workflow:

  1. An Operations Administrator (or Super User) creates an invite — either a global invite for system roles (Users → Invites tab), or a team invite for team roles (Team → Invites tab)

  2. The invite is shared with the user via a code, link, or QR code

  3. The user accepts the invite and completes sign-in via Single Sign-On (SSO) — this creates their account

  4. The user’s roles are determined by the invite(s) they accepted, not auto-provisioned

You cannot manually create user accounts through the Control Centre — users must accept an invite and sign in via SSO to create their account.

Note: SSO auto-provisioning (where user accounts are automatically created on first SSO sign-in with default roles) is under development but not yet deployed. Currently, all user creation requires an invite.

Viewing Users

  1. Click Users in the left sidebar (under Management)

  2. You’ll see a table with columns:

    • Name — User’s display name

    • Email — User’s email address

    • Roles — System roles with “add” button and role badges

    • Reset Password — Not applicable for SSO deployments; password management is handled through your institution’s identity provider

    • Remove — Remove user from system

The screenshot above shows this view, with the sidebar navigation on the left and the Users table in the main content area.

Understanding System Roles

There are four system roles: General User (basic access), Content Creator (can create notebooks and templates), Operations Administrator (manage users and teams without data access), and Super User (full system control — emergency use). For detailed permissions, see Roles Reference → System-Wide Roles below.

Adding a Role to a User

  1. Find the user in the Users list

  2. In the Roles column, click the add button

  3. Select the role to add from the dropdown

  4. The new role badge appears next to any existing roles

Roles column in Users list showing the add button clicked, revealing a dropdown menu with four role options: General User, Super User, Content Creator, and Operations Administrator

Removing a Role from a User

  1. Find the user in the Users list

  2. In the Roles column, locate the role badge you want to remove

  3. Click the × in the upper-right corner of the role badge

  4. The role is removed immediately

Each role badge (visible in the Control Centre screenshot earlier) has a small × in the upper-right corner — click this to remove the role.

⚠️ Warning: Be careful when removing roles. If you remove Content Creator from a user, they will no longer be able to create notebooks globally. However, they can still create notebooks within teams where they have the Team Member (Creator), Team Manager, or Team Administrator role.

See also: Troubleshooting → Can’t Assign Team Administrator Role

Managing Global Invites

The Users page has two tabs: Users (described above) and Invites. The Invites tab lets you create invitation links that grant system-level roles to new or existing users — for example, inviting someone to become an Operations Administrator.

💡 Note: Global invites are for system-level roles only. To invite users to a specific team or notebook, use team invites or notebook invites instead (see below).

Who Can Manage Global Invites

Only users with the Operations Administrator or Super User system role can view and manage global invites.

Viewing Global Invites

  1. Click Users in the left sidebar (under Management)

  2. Click the Invites tab (next to the Users tab)

  3. You’ll see a table of active invitations with columns:

    • Name — Descriptive title for the invitation

    • Role — The system role invitees will receive (displayed as a role badge)

    • Expiry — When the invitation expires

    • Uses remaining — How many more times the invite can be used

    • Code — A short code users can enter manually (click to copy)

    • Link — A URL users can click to accept the invitation (click to copy)

    • QR Code — Click to display a scannable QR code for mobile devices

    • Remove — Delete the invitation

Users page Invites tab showing a table of global invitations with columns for Name, Role, Expiry, Uses remaining, Code, Link, QR Code, and Remove

Creating a Global Invitation

  1. Navigate to UsersInvites tab

  2. Click + Create Global Invite

  3. Configure the invitation:

    • Invite title — A descriptive name (e.g., “Operations team onboarding Q1”)

    • Role — The system role invitees will receive (General User, Content Creator, or Operations Administrator)

    • Maximum uses — How many times the invite can be used (leave empty for unlimited)

    • Invite Duration — Choose a preset duration (Quick Select) or a specific date (Custom Date); maximum 365 days

  4. Click Create Invite

Create Global Invite dialog with fields for invite title, role selection, maximum uses, and invite duration with Quick Select and Custom Date options

💡 Note: The Super User role is deliberately excluded from the role dropdown. Super User access must be granted manually through the Users tab to prevent accidental distribution of full system privileges.

Removing a Global Invite

To remove an invitation that is no longer needed, click the red trash icon in the Remove column of the Invites table. The invite link and code will immediately stop working.

See also:

  • Managing Teams → Managing Team Invites (similar process for team-level roles)

  • Managing Notebook Users → Inviting Users to a Notebook (similar process for notebook-level roles)

Managing Teams

Teams group users together and provide shared access to notebooks. When you navigate to a team, you’ll see several tabs.

Creating a Team

Only users with the Super User or Operations Administrator system role can create new teams.

  1. Click Teams in the left sidebar

  2. Click the + Create Team button

  3. Enter the team details:

    • Name — A descriptive name for the team

    • Description — Optional description of the team’s purpose

  4. Click Create team

  5. The new team appears in the Teams list

Create Team dialog showing Name field and Description field with Create team button

After creating a team, you’ll typically want to add members and assign a Team Administrator (see “Adding a User to Your Team” below).

Note: Most teams are created during initial provisioning. You’ll usually be managing existing teams rather than creating new ones.

Viewing Your Team

  1. Click Teams in the left sidebar

  2. Click on your team name (teams you administer appear in the expanded sidebar)

  3. You’ll see tabs: Details, Invites, Notebooks, Templates, Users

Team view for {{FAIMS}} showing the tab bar with Details (selected), Invites, {{Notebooks}}, Templates, and Users tabs, plus the Edit button; main panel displays team name, description, Created By (admin), and timestamps

Team Tabs Overview

Tab

Purpose

Details

Team name and description

Invites

Pending invitations to join the team

Notebooks

Notebooks associated with this team

Templates

Templates owned by this team

Users

Current team members and their roles

Viewing Team Members

  1. Navigate to your team

  2. Click the Users tab

  3. You’ll see a table with columns:

    • Name — Member’s display name

    • Email — Member’s email address

    • Roles — Team role badges with + to add roles

    • Remove — Red trash icon to remove member

Team Users tab showing member list with columns for Name, Email, Roles (displaying Team Administrator badges with × for removal and + to add roles), and Remove column with red trash icons

Understanding Team Roles

There are four team roles: Team Administrator (full control), Team Manager (manage members, create notebooks), Team Member (Contributor) (access team resources), and Team Member (Creator) (create notebooks only). Team roles automatically grant corresponding notebook access — see the permissions diagram in the Introduction or Roles Reference → Team Roles below for details.

⚠️ Important: Team Member (Creator) can create notebooks but does NOT get automatic access to existing team notebooks. This role is often used for student or citizen science projects, where it is undesirable for the user to have access to other peoples’ notebooks.

Adding a User to Your Team

  1. Navigate to your team → Users tab

  2. Click + Add user button above the table

  3. Enter the user’s email address

  4. Select their team role from the dropdown

  5. Click Add User

Add user to team dialog with User Email text field and Role dropdown showing options: Team Member (Contributor), Team Member (Creator), Team Manager, and Team Administrator

Adding a Role to an Existing Team Member

  1. Navigate to your team → Users tab

  2. Find the member in the list

  3. In the Roles column, click the + button

  4. Select the additional role

  5. The new role badge appears

Removing a Role from a Team Member

  1. Navigate to your team → Users tab

  2. Find the member in the list

  3. In the Roles column, click the × on the role badge you want to remove

Removing a Member from Your Team

  1. Navigate to your team → Users tab

  2. Find the member in the list

  3. Click the red trash icon in the Remove column

  4. Confirm removal when prompted

The screenshot in the “Viewing Team Members” section above shows the red trash icons in the Remove column.

⚠️ Warning: Removing someone from a team removes their automatic (virtual) access to ALL team notebooks. If they have direct notebook roles, that access persists until separately removed.

Managing Team Invites

The Invites tab allows you to create invitation links that users can use to join your team.

Creating a Team Invitation

  1. Navigate to your team

  2. Click the Invites tab

  3. Click + Create Team Invite

  4. Configure the invitation:

    • Invite title — A descriptive name for the invitation

    • Role — The team role new members will receive

    • Uses — How many times the invite can be used (leave empty for unlimited)

    • Expiry — When the invitation expires (see below)

  5. Click Create Invite

Create Team Invite dialog showing Role dropdown with team roles, Expiry date field, and Create Invite button

Understanding Invite Options

Option

Description

Expiry

The date/time after which the invite link no longer works. Expired invites cannot be extended — create a new one instead.

Uses remaining

Limits how many people can use this invite. Use multi-use invites for workshops or group onboarding. Leave unlimited (default) for open invitations.

Code

A short code users can enter manually

Link

A URL that users can click to accept the invitation

QR Code

Scannable code for mobile devices — useful for in-person onboarding

Viewing and Managing Invites

The Invites tab shows all active invitations with their status.

Team Invites tab showing list of pending invitations with columns for Name, Role, Expiry, Uses remaining, Code, Link, QR Code, and Remove

From here you can:

  • See how many uses remain on each invite

  • Check expiry dates

  • Remove invites that are no longer needed (click the trash icon)

See also:

  • Managing Notebook Users → Inviting Users to a Notebook (similar process)

  • Troubleshooting → Can’t Add Users to Team

  • Troubleshooting → User Has Access But Shouldn’t

Managing Notebook Users

Notebooks have their own user management, separate from teams. Users can access notebooks either through team membership (virtual roles) or direct assignment.

Viewing Notebook Users

  1. Click Notebooks in the left sidebar

{{Notebooks}} list view showing sidebar with {{Notebooks}} expanded, and main content area with table columns for Name, Team, Template, {{Notebook}} Lead, and Description

  1. Click on a notebook name

  2. Click the Users tab

  3. You’ll see a table with columns:

    • Name — User’s display name

    • Notebook Roles — Current role (display only)

    • Remove — Trash icon to remove user

{{Notebook}} Users tab showing user list with Name column, {{Notebook}} Roles column (displaying Administrator badges), and Remove column with trash icons

Notebook Tabs Overview

Tab

Purpose

Details

Notebook name, description, and metadata

Invites

Invitation links for adding users

Users

Current notebook users and their roles

Export

Export notebook data

Actions

Edit notebook, assign to team, download/replace JSON, notebook status

Understanding Notebook Roles

There are four notebook roles: Administrator (full control, can manage administrators), Manager (edit design, export, manage access), Contributor (edit others’ records), and Guest (own records only). For detailed permissions, see Roles Reference → Notebook Roles and the Permission Matrix below.

How Notebook Access Works

Users can have notebook access from two sources:

  1. Virtual roles — Automatic access from team membership (see the permissions diagram in the Introduction for the mapping)

  2. Direct roles — Explicitly assigned to this notebook via invitation

Note: Direct roles override virtual roles. If a Team Member (Contributor) is directly assigned as Guest on a specific notebook, they have Guest access to that notebook.

Inviting Users to a Notebook

Unlike Teams, you cannot add users directly to a notebook. Instead, you create invitation links that users can accept to join with a specific role.

  1. Navigate to your notebook

  2. Click the Invites tab

  3. Click + Create Invite

  4. Configure the invitation:

    • Invite title — A descriptive name for the invitation (e.g., “Field team contributor access”)

    • Role — The notebook role recipients will receive (Administrator, Manager, Contributor, or Guest)

    • Uses — How many times the invite can be used (leave empty for unlimited)

    • Expiry — When the invitation expires

  5. Click Create Invite

Create Invite dialog for a {{notebook}} showing Invite title field, Role dropdown with options (Administrator, Manager, Contributor, Guest), expiry date selection with Quick Select and Custom Date options, and Create Invite button

Once created, invitations appear in the Invites tab where you can manage them:

{{Notebook}} Invites tab showing list of active invitations with columns for Name, Role, Expiry, Uses remaining, Code, Link, QR Code, and Remove; includes + Create Invite button

The Invites tab shows:

Column

Description

Name

The invitation title/description

Role

The notebook role recipients will receive

Expiry

When the invite expires — create a new invite if one expires

Uses remaining

How many more people can use this invite

Code

Short code for manual entry

Link

Clickable URL to share

QR Code

Scannable code for mobile onboarding

Tip: Use multi-use invites with QR codes for field team onboarding sessions. Each team member can scan the same code to join with the appropriate role.

Removing a User from a Notebook

  1. Navigate to the notebook → Users tab

  2. Find the user in the list

  3. Click the trash icon in the Remove column

  4. Confirm removal

Note: Removing a direct role doesn’t remove team membership. If the user has a team role, they’ll still have virtual access through the team.

Transferring Notebook Ownership

To hand off a notebook to someone else:

  1. Go to the notebook → Invites tab

  2. Invite the new owner with Administrator role

  3. Once they accept, they have full control

  4. Optionally remove yourself via the Users tab

⚠️ Warning: Always ensure at least one Administrator remains on every notebook.

See also:

  • Troubleshooting → Can’t See a Notebook

  • Troubleshooting → Can’t Change a User’s Notebook Role

Quick Reference

When to Use Each Role

Scenario

Recommended Role

Project lead who manages everything

Team Administrator + notebook Administrator

Researcher who designs forms

Team Manager or notebook Manager

Field worker collecting data

Team Member (Contributor) or notebook Contributor

External reviewer (limited access)

Notebook Guest

Someone who creates notebooks but shouldn’t see others’ data

Team Member (Creator)

Common Scenarios

Onboarding a New Researcher (Typical Pathway)

  1. An Operations Administrator creates a new team for the researcher (Teams → + Create Team)

  2. Create a Team Administrator invite for the new team (Team → Invites tab → + Create Team Invite, selecting Team Administrator role)

  3. Send the invite link (or code/QR code) to the researcher

  4. The researcher accepts the invite and signs in via SSO — this creates their account with the Team Administrator role

  5. Optionally, add the Content Creator system role (Users → find user → add button in Roles column) so they can create notebooks outside their team

Adding an Existing User to Your Team

  1. Navigate to your team → Users tab → + Add user

  2. Enter their email and select the appropriate team role (e.g., Team Member (Contributor))

  3. They now have the corresponding virtual access to all your team’s notebooks

Alternatively, create a team invite (Team → Invites tab → + Create Team Invite) and share it with the user.

Setting Up a Project Team

  1. Create notebook(s) for the project (Notebooks → Create Notebook)

  2. Ensure notebooks are associated with your team

  3. Add team members with appropriate roles:

    • Project lead: Team Manager or Team Administrator

    • Researchers: Team Member (Contributor)

    • External collaborators: Invite directly to specific notebooks

Granting External Collaborator Access

Option A — Add to team (ongoing access):

  1. Add them to your team as Team Member (Contributor)

  2. They get virtual access to all team notebooks

Option B — Notebook only (limited scope):

  1. Go to the specific notebook → Invites tab

  2. Invite them with Contributor or Guest role

  3. They don’t need team membership

Handing Off a Project

  1. Notebook → Invites tab → Invite colleague as Administrator

  2. Verify they can access and manage the notebook

  3. Optionally remove yourself from the Users tab

Off-boarding: Removing All Access

  1. Remove from notebooks (if they have direct roles):

    • Navigate to each notebook → Users tab → trash icon

  2. Remove from team:

    • Navigate to team → Users tab → red trash icon

  3. Note: You cannot revoke system roles — contact a system administrator (Super User or Operations Administrator)

Roles Reference

System-Wide Roles

Role

Description

Typical User

General User

View assigned resources, manage own tokens

Rarely used alone

Content Creator

Create notebooks and templates globally

Researchers, project managers

Operations Administrator

Manage users, teams, and system operations (no data access)

IT operations staff

Super User

Full system control, all data access (emergency use)

IT administrators

Team Roles

Role

Permissions

Virtual Notebook Role

Team Administrator

Full team control

Administrator

Team Manager

Manage members, create notebooks

Manager

Team Member (Contributor)

Access team resources

Contributor

Team Member (Creator)

Create notebooks only

None (no access to other team notebooks)

⚠️ Key restriction: Only Operations Administrator or Super User can assign Team Administrator role. Team Member (Creator) cannot see other team notebooks — they must be explicitly invited.

Notebook Roles

Role

Permissions

Project Admin

Full control, manage administrators

Project Manager

Edit design, close notebook, export, manage invites/access

Project Contributor

Edit others’ records (plus all Guest permissions)

Project Guest

Activate notebook, create records, view/edit/delete own records

Permission Matrix — Notebooks

Action

Guest

Contributor

Manager

Administrator

Create records

View/edit/delete own records

View all records

Edit/delete others’ records

Export own data

Export all notebook data

Edit notebook design

Close/reopen notebook

Reassign to different team

Manage invites and users

Manage administrators

Permission Matrix — Teams

Action

Member

Member Creator

Manager

Admin

View team details and members

View team templates

Access team notebooks (virtual role)

Create notebooks in team

Create templates in team

Edit team details

Add/remove team members

Manage team invites

Add/remove team managers

Add team admins

Operations Administrator or Super User only

Delete team

⚠️ Note: Team Member (Creator) can create notebooks but does NOT automatically get access to existing team notebooks. This is by design for teaching environments where students create isolated notebooks.

Virtual roles: Team Member (Contributor) automatically receives Contributor access to team notebooks. Team Manager automatically receives Manager access. Team Administrator inherits Manager’s virtual role. Team Member (Creator) receives no virtual notebook access.

Troubleshooting

Can’t See a Notebook

Possible causes:

  • Not a member of the team that owns the notebook

  • Team role is Team Member (Creator) — doesn’t grant automatic access

  • Not directly invited to the notebook

Solution: Check team membership and role. Add direct notebook access via Invites tab if needed.

Can’t Edit Notebook Structure

Cause: Missing Manager or Administrator role on the notebook.

Solution: Have a notebook Administrator invite you with Manager or Administrator role.

Can’t Add Users to Team

Cause: Missing Team Manager or Team Administrator role.

Solution: Have a Team Administrator elevate your team role.

Can’t Assign Team Administrator Role

Cause: Only Operations Administrator or Super User can assign Team Administrator roles.

Solution: Contact an Operations Administrator or Super User to assign the Team Administrator role.

User Has Access But Shouldn’t

Cause: User may have both direct and virtual (team-based) roles.

Solution: Check both:

  1. Direct notebook roles (Notebook → Users tab)

  2. Team membership (Team → Users tab)

Remove from both locations if needed.

Can’t Change a User’s Notebook Role

Note: The Notebook Users tab only displays roles — you cannot edit them there.

Solution: Remove the user (trash icon), then re-invite via the Invites tab with the new role.

Further Resources

Guide Version: 1.8 Last Updated: 2026-02-24