Users and access
Users are individual people who sign in through WorkOS-backed authentication, including SSO where your identity provider requires it. This page connects authentication to authorization: how users are invited, which tenant they belong to, and how roles plus optional RBAC overrides determine what they can see and change.
Security-minded admins and IT owners should use this alongside the access-control guides when rolling out DonorIntel next to existing IdP groups and policies.
Overview
Section titled “Overview”A user may belong to one or more tenants over time, but permissions are always evaluated in the context of a single tenant session—there is no accidental cross-org leakage. Invitations bind an email identity to a tenant with an initial role, after which ongoing changes are managed by administrators and reflected in activity logs.
When stewardship or compliance demands exceptions (“this coordinator may view restricted funds”), permission overrides layer on top of baseline roles without turning everyone into a super-admin. The result is access you can explain: default posture from the role, documented exceptions where needed.