All use-cases

Use-case — User & Access

Team & role provisioning

Invite teammates with scoped roles; capability matrix gates who can read, write, and report.

One automatic gate, then a clean role-scoped handoff.

The invite button is hidden before the gate fires — only actors whose role is in inviteRoles ever see it. Once the invite is sent, a single audit row is written, and when the invitee accepts, the RLS guard enforces their scoped capability matrix from that moment onward.

Mail = email sent Bell = in-app alert Amber diamond = automatic check
Admin opens Team workspace settings canInvite(actor)? role in inviteRoles yes Pick email + role admin / manager / member / viewer generateInvite invite email + audit row Invitee accepts token redeemed Role-scoped access applied RLS guard enforced Admin notified member joined alert no Invite hidden / blocked role not in inviteRoles
app/team
Live demo

recording from the demo site — coming soon

Roles are enforced before the invite button appears. The canInvite gate hides or blocks the action if the actor's role is not in inviteRoles; otherwise an invite email goes out, one audit row is written, and when the invitee accepts, the capability matrix takes effect immediately via RLS.