The Users page in the Policyholder Portal admin console controls who from your team can sign in to client.briteapps.com, what they can change, and what they can see. Only Super Admins can add, remove, or change other users.
The three roles
| Role | Can do | Cannot do |
|---|---|---|
| Super Admin | Everything: edit branding/content/templates/settings, manage users, promote dev → prod, view audit log | — |
| Admin | Edit branding/content/templates/settings, view audit log | Manage users, promote dev → prod (must request from a Super Admin) |
| Read-only | View any page in admin, view audit log | Edit anything |
Recommendation: Keep the Super Admin count small — typically 2 to 4 people. Day-to-day editors should be Admin. Your CSR leadership and analytics folks usually fit Read-only.
Inviting a new admin
- Open Users in the left sidebar.
- Click Invite admin in the top right.
- Fill in:
- First name and Last name
- Work email — must be a real, monitored mailbox; this is also their sign-in identifier.
- Role — Super Admin / Admin / Read-only.
- Environment access — Dev only, Production only, or Both. Most editors get Both; auditors and analysts often get Production only.
- Click Send invite.
- The invitee receives an email within 60 seconds containing a sign-in link and a temporary password. The link expires in 7 days.
Resending or revoking an invitation
If the invite hasn't been accepted yet:
- Resend — opens the same Users page, find the user (status: Pending), click the row, then Resend invite. A new 7-day link is sent; the old one is invalidated.
- Revoke — same row, click Revoke invitation. The user can no longer use the link.
Changing a user's role
- Open Users, click the user's row.
- Click Edit user.
- Change Role and/or Environment access.
- Click Save. The change is immediate. The user is signed out of any active session and must sign in again to pick up the new role.
Deactivating a user
When someone leaves the company or no longer needs access:
- Open Users, click the user's row.
- Click Deactivate.
- Confirm. The user is signed out of any active session and can no longer sign in.
Best practice: Deactivate, don't delete. A deactivated user remains in the Audit Log so you can still see what they changed historically. Deletion is permanent and erases the audit trail for that user.
If you must delete (e.g., GDPR-style data subject request):
- Deactivate first.
- Click Delete user permanently — appears below the deactivation banner after a 7-day cooling period.
- Confirm with your Super Admin password.
Resetting another admin's password
Super Admins can reset any other admin's password:
- Open Users, click the user's row.
- Click Send password reset.
- The user receives an email with a one-time reset link valid for 60 minutes.
If the user has lost their MFA device, click Reset MFA in the same row. They will be prompted to set up MFA again at next sign-in.
Multi-factor authentication
MFA is optional but strongly recommended for all admin users. To enforce MFA org-wide:
- Open Settings > Authentication.
- Toggle Require MFA for admins to On.
- Existing users without MFA will be required to enroll the next time they sign in.
Supported MFA methods: TOTP (Google Authenticator, Authy, 1Password, etc.) and platform authenticators (Touch ID, Face ID, Windows Hello).
SMS-based MFA is not supported for admin accounts — security.
The Audit Log
Every admin action is recorded:
- Who (user email)
- What (page + field changed, with before/after values)
- When (timestamp in your local timezone)
- Where (IP address)
To open: Audit Log in the sidebar. Filter by user, date range, or section (Settings, Content, Templates, etc.). Export to CSV for your compliance team — useful during SOC 2 audits.
BriteCore staff impersonation
Occasionally a BriteCore Implementation Manager or Support engineer will need to "switch into" your environment to assist with a case. When they do:
- Their action is recorded in your Audit Log under their BriteCore email (e.g.,
support+rmoore@britecore.com). - A banner appears at the top of every page they visit while impersonating.
- The session ends automatically after 60 minutes or when they sign out.
If you ever see an impersonation entry you didn't request, contact BriteCore Support immediately.
Quotas and limits
| Limit | Default | How to raise |
|---|---|---|
| Admin users per environment | Unlimited | — |
| Concurrent active sessions per user | 5 | Contact Support |
| Failed sign-in attempts before lockout | 5 | Settings > Authentication |
| Lockout duration | 15 min | Settings > Authentication |