Leave Localhost logoLeave LocalhostDocs
Multi-tenancy

Members

Users belong to workspaces as members, with roles that dictate their access levels.

Users belong to workspaces as members, with roles that dictate their access levels.

Listing Members

Members are listed in the dashboard settings area. The listMembers query in packages/backend/convex/members.ts fetches the member list.

Because Better Auth owns the member table, this query calls the Better Auth API (organizationApi.listMembers) under the hood and normalizes the results for the frontend.

Updating Roles

Admins and Owners can update member roles using the updateMemberRole mutation.

Resource Policies

Role updates are protected by resource policies:

  • cannotModifyOwnerUnlessOwner: Ensures an Admin cannot demote an Owner or elevate someone else to Owner. Only Owners can manage Owners.

Step-Up Verification

Changing a member's role is a Level 3 sensitive action. The user performing the change must verify their identity (password, email code, or TOTP) or have a recent fresh session.

Removing Members

Admins and Owners can remove members using the removeMember mutation.

Resource Policies

Member removal is protected by:

  • cannotRemoveLastOwner: Prevents removing an Owner if they are the only Owner left in the workspace. This prevents orphaned workspaces.

Step-Up Verification

Removing a member is a Level 2 sensitive action. However, the system enforces a step-up escalation pattern:

If you are removing a member with an elevated role (Admin or Owner), the action temporarily escalates to Level 3, requiring explicit verification. Removing a standard Member or Viewer remains Level 2.

Member Management Toggle

If your product doesn't need team collaboration, member management can be disabled entirely by setting allowMemberManagement: false in packages/backend/convex/organizations/config.ts.

Next Reads

On this page