Managing Users

Full Fabric provides a complete set of tools for managing staff accounts — from creating and inviting new team members to suspending and reactivating them. All user management actions are available under Settings > Staff and require the authorization.users_change feature.

Creating Staff

To add a new staff member, navigate to Settings > Staff and click Add Staff.

Required Fields

Field	Description
First name	Staff member's given name
Last name	Staff member's surname
Email	Must be unique across the institution. Used for login and notifications.
Role(s)	One or more roles to assign (e.g., `staff::admissions`, a custom role)

Optional Fields

Field	Description
Access from	Date when the account becomes active. If set in the future, the invitation is deferred.
Access until	Date when the account is automatically suspended.

What Happens on Create

A new profile is created with a user::inactive base role.
The selected staff role(s) are added to the profile.
A confirmation token is generated (valid for 48 hours).
If access_from is not set or is in the past, an invitation email is sent immediately with a link to set a password and activate the account.
If access_from is in the future, the invitation is deferred — see Deferred invitations below.

Invitation Flow

When a staff member is created, Full Fabric sends an email containing a confirmation link (/confirm/{token}). Clicking the link takes the user to a page where they set their password and activate their account.

Deferred Invitations

When access_from is set to a future date, the invitation email is not sent at creation time. Instead:

The profile is created in an inactive state.
A background service runs periodically and checks for profiles whose access_from date has arrived.
When the date arrives, the profile is automatically activated and the invitation email is sent.

This is useful for onboarding staff who will start on a specific date — visiting lecturers, seasonal admissions officers, or new hires with a known start date.

Resending Invitations

If the original invitation has expired or the staff member did not receive it, administrators can resend the invitation from the staff member's profile. This generates a new confirmation token and sends a fresh email.

Account Actions

Activate

Activating a profile sets all user roles to user::active. The staff member can log in and access the platform according to their assigned features and data access scopes.

If the email has not been verified, an email verification token is created and a verification email is sent.
Records activated_at for audit purposes.

Suspend

Suspending a profile sets all user roles to user::suspended. The staff member is immediately logged out and cannot log in again until reactivated.

The session token is reset, forcing an immediate logout.
Records suspended_at for audit purposes.
The profile and its data are preserved — suspension is reversible.

Reactivate

Reactivating a suspended profile restores it to user::active. The staff member can log in again with their existing credentials.

stateDiagram-v2
    [*] --> inactive: Created
    inactive --> active: Activated / invited
    active --> suspended: Admin suspends / access expired
    suspended --> active: Admin reactivates

    state "user::inactive" as inactive
    state "user::active" as active
    state "user::suspended" as suspended

Access Windows

Access windows let you control when a staff member can access the platform, using two optional date fields on the profile.

Field	Effect
`access_from`	The account is kept inactive until this date. Once reached, the account is automatically activated and the invitation email is sent.
`access_until`	The account is automatically suspended after this date. The staff member is logged out.

Enforcement

Access windows are enforced in two places:

On save — if a profile is active but access_from is in the future, it is immediately inactivated. If access_until is in the past, it is immediately suspended.
By background service — a periodic job activates profiles whose access_from has arrived and suspends profiles whose access_until has passed. This handles cases where no save occurs around the boundary time.

Use Cases

Visiting lecturers — set access_from and access_until to match their teaching term.
Seasonal admissions staff — grant access only during the admissions cycle.
New hires — set access_from to their start date so they receive their invitation at the right time.

Exporting Staff

Administrators can export the staff list as a CSV file from Settings > Staff. The export includes profile data filtered by the schema field visibility rules that apply to the current user's permissions.

Required Permissions

All staff management actions require the authorization.users_change feature. This feature is included by default in admin roles and can be added to custom staff roles via role configuration.

Action	Required feature
Create staff	`authorization.users_change`
Send / resend invitation	`authorization.users_change`
Activate, suspend, reactivate	`authorization.users_change`
Export staff list	`authorization.users_change`

User Types & Roles

Managing Roles & Teams