Invite team members and roles

Owner, deputy, manager, member, viewer, freelancer. What each role can see and do, custom permissions, and how to remove access cleanly.

Last updated 2026-05-09

You can run SellStein solo. You probably shouldn't. Here's how to add the rest of the team without giving them access to your bank account.

Employees → Invite

Go to Employees, click Invite, type their email, pick a role, send. They get a magic link, set a password, and they're in. No app installs, no SSO setup needed (though we support both. Settings → Security → SSO).

The roles

  • Owner. You. Full access to everything including billing and data export. There can be more than one owner if you have a co-founder, but be sure
  • Deputy. Owner without the billing/danger-zone access. Can do almost everything else: products, orders, customers, marketing, fulfilment. Most second-in-command roles fit here
  • Manager. Operations focus. Orders, products, customers, support tickets. Cannot change platform settings or invite new staff
  • Member. Day-to-day staff. Fulfil orders, edit products, respond to customer messages. No analytics, no settings
  • Viewer. Read-only. Useful for accountants, investors, advisors who need to see numbers but not touch them
  • Freelancer. Scoped to a single project (a campaign, a migration, a website redesign). Auto-expires when you mark the project closed

Custom permissions

If the preset roles don't fit, click any role → Customise. The permission tree shows every action in the app. Toggle on what they need, off what they don't. Save as a new custom role and re-use it.

The most common custom roles we see:

  • "Designer". Products, storefront, files, but no orders or customers
  • "Customer success". Customers, support tickets, orders read-only, no edits
  • "Bookkeeper". Invoices, payouts, exports, viewer everywhere else

Removing access

Employees → click the person → Remove access. Their session is killed within 30 seconds across all devices. Their actions stay in the audit log forever. If they had 2FA enabled, their backup codes are also invalidated.

For a hard exit (you're firing someone), do this BEFORE telling them. Removing access in the middle of a tense conversation is awkward; doing it after they walk out the door is worse.

What "see" actually means

A role gates what shows up in the sidebar AND what API calls succeed. We never rely on the frontend hiding things. Every API endpoint re-checks the permission server-side. If you grant a custom role only "products:read", they cannot create a product even if they curl our API directly.

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support