Role assignment and rotation
Assigning a role is easy. Keeping access current through years of team turnover is what separates a well-run church from one with 12 ex-volunteers still able to see donations.
When to assign a role
Assign the role when the person actually needs the function. Don’t assign “so they have access” without a use case. Unused access is security debt.
When to rotate a role
| Event | Action |
|---|---|
| Job change | Change the role before day one of the new job. |
| Leaves the team | Deactivate the same day. |
| Sabbatical | Deactivate temporarily; reactivate on return. |
| Promotion to admin | Add the new role, keep the old one for 1 month transition. |
| Campus change | Replace the scope, don’t add a new scope. |
Never delete, deactivate
Deleting a user removes auditability. Use Deactivate: the user loses access but their action history is intact. If they return to the church, reactivation loses nothing.
Quarterly audit
Each quarter, run this list in Settings → Team → Audit:
- Filter by users with no activity in 90 days.
- For each, decide: are they really still active?
- Deactivate the inactives.
- Filter by role
org_adminandfinance. Confirm no more than 2-3 people in each. - Review assignments scoped “all campuses” — are they justified?
Off-boarding template
When someone leaves the team:
1. Deactivate user in Settings → Team
2. If session is active, force logout (button next to Deactivate)
3. If org_admin, promote someone else BEFORE deactivating
4. If they had 2FA via app, remind them to uninstall from personal phone
5. Notify the team (optional but recommended)On-boarding template
1. Invite with the minimum role needed
2. Sit with them through the first session (15 min)
3. If they need more permissions, raise them one at a time, not all at once
4. Verify 2FA is active by the end of the weekWho can see role history?
Any org_admin. Go to the user’s profile → Role history. You see every change: who made it, when, and why (if documented).
Last updated on