> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User Management

> User management controls who can access Arcus, which entities they can enter, what role they have in each entity, whether they are limited to certain locations, and how admins respond to access or MFA problems.

## Which User Page Should I Use?

Arcus has two user surfaces because organization access and entity access are different jobs.

* **Settings > Users**: a handoff card that sends you to the dedicated User Management area.
* **Organization Users**: invite users, assign them to one or more entities, edit entity memberships, resend or revoke pending invitations, remove users from the organization, and reset another user's MFA.
* **Entity Team**: manage users already inside the active entity, edit their role in that entity, set or reset PIN lock, limit location access, upload photos, and tune custom permissions.
* **Roles and Permissions**: review system roles, duplicate a role, create custom roles, and choose exact permission keys.
* **Role Coverage Report**: audit effective permissions across active users.

<Frame caption={"Organization Users is the best place to invite people and manage multi-entity access."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/organization-users.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=29687803a8071fc8006cdb43b52e3835" alt="Organization Users page with user list, entity memberships, role chips, status, actions, search, and pending invitations" width="1640" height="980" data-path="images/support/screenshots/admin-access/organization-users.png" />
</Frame>

<Warning>
  **Access changes are security-sensitive**
  Before granting admin, accounting, role management, settings, or audit permissions,
  confirm the user needs that access for their job. Remove access promptly when a person
  changes roles or leaves the company.
</Warning>

## Invite a User

1. Open **Admin**, then **Organization**.
2. Choose **Users**.
3. Select **Invite User**.
4. Enter the user's email address.
5. Choose the starting role.
6. Select every entity the user should access.
7. Optionally expand **Location Access** to restrict the user to specific warehouses.
8. Optionally expand **Custom Permissions** for advanced overrides.
9. Send the invitation.

<Frame caption={"Invites can assign one role across selected entities and can optionally restrict locations or override role defaults."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/invite-user.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=729f818c7362dbe993e68aa578fe89e9" alt="Invite User modal with email, role, entities, optional location access, optional custom permissions, and Send Invitation button" width="980" height="980" data-path="images/support/screenshots/admin-access/invite-user.png" />
</Frame>

<Tip>
  **Use the simplest role that works**
  Start with the closest standard role. Use location restrictions and custom permissions
  only when a standard role is too broad or too narrow.
</Tip>

The invite form has these boundaries:

* **Email Address** is required.
* **Role** is required. Owner is hidden unless your own access allows assigning Owner.
* **Entities** is required. At least one entity must be selected.
* **Location Access** is optional. Leave it unset for unrestricted location access.
* **Custom Permissions** is optional and advanced. Leave it closed to inherit role defaults.
* The invitee enters their own first name, last name, and password when accepting the invitation.

## Pending Invitations

Pending invitations stay visible on the Organization Users page until they are accepted,
revoked, or expired. Use the pending table when someone says they did not receive the invite
or when the wrong role or entity was selected.

* **Resend**: sends the invite again without creating a duplicate user.
* **Revoke**: cancels a pending invite so the link can no longer be used.
* **Expired**: the invite is no longer usable. Send a new invite if the user still needs access.

<Note>
  **Invitation delivery is outside the app after send**
  If Arcus shows a pending invite and email delivery logs show the message was accepted,
  the remaining troubleshooting is usually mailbox filtering, security quarantine, or a
  typo in the email address. Revoke the bad invite before sending a corrected one.
</Note>

## Change a User's Entity Role

A user can have different roles in different entities. For example, a person may be an
admin in a sandbox entity and a viewer in production.

1. Open **Organization Users**.
2. Find the user.
3. In the Entities column, click the role next to the entity code.
4. Select the new role.
5. Save the inline edit.
   Only users allowed to assign owner-level access can choose the Owner role. If you do not
   see Owner as an option, your own access does not allow that assignment.

## Manage Access Across Entities

Use **Manage Access** on Organization Users when a person already has an account and you need
to add or remove entity memberships after the original invitation.

* **Add** gives the user access to another entity with the Staff role by default.
* **Role** changes save immediately for the selected entity.
* **Locations** opens a per-entity location picker. Leave all unchecked for unrestricted access.
* **Remove** removes that entity membership and clears that entity's location assignments.
* **Self-edits** are limited so admins do not lock themselves out. Ask another owner or admin to edit your own role, entity membership, or location access.
* **Organization owner self-grant** may appear for the organization owner on entities they do not yet belong to. It requires a reason and is audit-logged as a high-trust action.

## Use Entity Team for Day-to-Day Access Changes

Entity Team focuses on the active entity. Use it when the person is already a member of
the entity and you need to edit their day-to-day access or shared-workstation setup.

<Frame caption={"Entity Team is where admins manage role, PIN, photo, active status, and entity-specific access for current members."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/entity-team.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=2e07cca404980f36e2d425509bc0ff55" alt="Entity Team page with users, roles, PIN status, last activity, active toggle, and edit actions" width="1640" height="980" data-path="images/support/screenshots/admin-access/entity-team.png" />
</Frame>

* **Edit**: update the user's name, role, location access, and custom permissions in the active entity.
* **PIN**: set or reset a 4 to 6 digit lock-screen PIN for shared workstation use.
* **Active**: deactivate or reactivate the user's access in the active entity.
* **Remove**: remove the user from the active entity without deleting their organization account.
* **Photo**: upload a profile photo used in user lists and operational surfaces.

<Frame caption={"The Edit User modal is where role defaults can be narrowed by location access or tuned with custom permissions."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/entity-team-edit.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=f88db60d833b5ac0b48c5f4f8c3cbe10" alt="Edit User modal with role picker, PIN lock toggle, location access, and custom permissions controls" width="980" height="980" data-path="images/support/screenshots/admin-access/entity-team-edit.png" />
</Frame>

<Warning>
  **Do not edit your own safety-critical access**
  Arcus blocks or limits some self-edits, such as changing your own location access. Use a
  second trusted admin for changes that could lock you out or weaken separation of duties.
</Warning>

Entity Team has additional guardrails:

* Email is shown in the edit modal but is not editable there.
* Only owners can modify other owners.
* You cannot deactivate your own account.
* Non-owners cannot deactivate owner accounts.
* Location assignment changes are skipped when you are editing yourself.

## Location Access

Location access limits where a user can work. It is useful for warehouse, fulfillment,
inventory, receiving, and location-specific operations.

* Leave location access unset when the user should see all locations in the entity.
* Select locations when the user should only work from certain warehouses or stores.
* Review location restrictions after adding a new warehouse or changing a user's job.
* If a user cannot see expected inventory or fulfillment work, check their location access before assuming the record is missing.

## Custom Permissions

Roles provide defaults. Custom permissions override those defaults for edge cases.
Use them sparingly because one-off overrides are harder to audit than standard roles.

* Use custom permissions to grant one specific ability without upgrading the whole role.
* Remove custom overrides when the user moves into a standard job role.
* Review high-risk permissions for accounting, settings, users, roles, audit, payments, returns overrides, and inventory overrides.
* Use the Role Coverage Report when you need to inspect effective permissions across users.

## Roles and Permissions

Standard system roles are locked. If a system role is close but not exact, duplicate it
and create a custom role instead of editing the system role.

<Frame caption={"System roles are locked. Duplicate a system role when you need a custom version for your business."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/roles-list.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=fc9511a9d02930d9ab538eac541df4fa" alt="Roles and Permissions page with system roles, custom roles, permission counts, assigned users, duplicate and edit actions" width="1640" height="980" data-path="images/support/screenshots/admin-access/roles-list.png" />
</Frame>

1. Open **Admin**, then **Roles**.
2. Review the role list, permission count, and assigned users.
3. Choose **Duplicate** on a system role or **Create custom role**.
4. Name the role clearly, such as Shipping Lead or AP Clerk.
5. Select only the permission groups required for that job.
6. Save the role, then assign it from Organization Users or Entity Team.

<Frame caption={"The role editor groups permissions so admins can build a role around the work the user actually performs."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/role-editor.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=139f29b73b453a9e83b98c6984fcc654" alt="Create custom role page with name, description, grouped permission checkboxes, and Save role button" width="1640" height="980" data-path="images/support/screenshots/admin-access/role-editor.png" />
</Frame>

## Role Coverage Report

The Role Coverage Report shows effective permissions per active user. Use it during
onboarding reviews, offboarding checks, and security audits.

<Frame caption={"Role Coverage helps admins inspect who has each permission after role defaults and overrides are applied."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/role-coverage.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=4938bb0d19d68be839c2ce9fe9db0dfb" alt="Role Coverage Report page showing users, roles, and effective permission columns" width="1640" height="980" data-path="images/support/screenshots/admin-access/role-coverage.png" />
</Frame>

## Reset a User's MFA

Organization admins can reset another user's MFA when the user has lost access to their
authenticator or recovery codes. This clears their authenticator app and recovery codes,
then requires them to enroll again at next sign-in.

1. Open **Organization Users**.
2. Find the active user.
3. Choose **Reset MFA**.
4. Read the warning carefully.
5. Type the required confirmation phrase exactly.
6. Enter the reason for the reset.
7. Confirm the reset.

The reset clears the user's authenticator app enrollment and all recovery codes. The
reason is required for the audit log, and the user is notified by email. They must enroll
a new MFA factor on their next sign-in before continuing.

<Warning>
  **Verify the person before resetting MFA**
  Reset MFA only after confirming the user's identity through your internal process.
  The reason is kept for audit review, so write a useful business reason.
</Warning>

## Remove or Deactivate Access

Choose the smallest removal that matches the situation.

* **Deactivate in Entity Team**: turns off access in the active entity while preserving the user record.
* **Remove from entity**: removes one entity membership but keeps the user in the organization.
* **Remove from organization**: removes organization access across entities and should be used for offboarding.
* **Revoke pending invite**: cancels access before the user accepts the invite.

<Tip>
  **Offboarding checklist**
  Remove organization access, revoke pending invites, review custom permissions, check API keys,
  confirm active sessions are no longer usable, and review audit entries for the user's recent activity.
</Tip>

## Common Blocks

* **User did not receive invite**: confirm the email address, resend once, then check mailbox filtering or security quarantine.
* **Owner role is not available**: only users with owner-level authority can assign owner access.
* **User cannot see a location**: review Entity Team location access.
* **User cannot perform an action**: check their role, custom permission overrides, and the Role Coverage Report.
* **User cannot sign in after MFA reset**: have them complete the required MFA enrollment flow at next sign-in.
* **Admin cannot edit another owner**: owner-level users must be changed by another owner.

## Related Articles

<CardGroup cols={2}>
  <Card title="Profile and Security" href="/support/settings/profile-security">
    Manage profile details, PIN lock, MFA, security keys, and recovery options.
  </Card>

  <Card title="Company Setup" href="/support/settings/company-setup">
    Configure business profile, environment, branding, locations, and the workflow impact of company defaults.
  </Card>

  <Card title="Settings Overview" href="/support/settings/overview">
    Understand the admin surfaces, settings groups, and workflow impact areas.
  </Card>

  <Card title="Email Log and Account Communications" href="/support/communications/email-log">
    Use the email log, preview/resend tools, and account communication preferences.
  </Card>

  <Card title="Fulfillment Station" href="/support/fulfillment/station">
    Operate the station view for picking, packing, and shipping.
  </Card>
</CardGroup>
