Adding staff

Settings → Members → "Add a staff member": enter the email + pick a role, click Add.

Staff don't need an existing Frank account. If the email isn't already a Frank user, Frank creates the account on the fly with a random password and emails the new staff member a "set your password" link. They click, set a password, log in, and land at /practice.

Roles

Four roles. Each grants a specific set of permissions — the matrix is enforced server-side, and the UI hides actions a member can't perform.

• Principal — full access. The practice owner is auto-added with this role and can't be demoted via the UI.
• Senior — full client tax work (send BAS for sign-off, mark lodged, send engagement letters, manage templates and tags, invite/revoke clients) but no staff management or branding/domain changes.
• Staff — read-only across the practice surface plus messaging and notes. Can't send BAS or engagement letters, can't invite or revoke clients.
• Admin — practice administration: invite/revoke/remove clients, manage staff (add/remove, but only the principal can change roles), edit branding, custom domain, tags, templates. Cannot send BAS for sign-off or mark BAS lodged — that's reserved for tax-qualified roles.

Permission matrix (X = granted):

| Capability | Principal | Senior | Staff | Admin | |-----------------------------------|:---------:|:------:|:-----:|:-----:| | View clients / workflow / messages | X | X | X | X | | Send messages, add notes | X | X | X | X | | Invite clients | X | X | | X | | Revoke clients | X | X | | X | | Permanently delete client | X | | | | | Send BAS for sign-off | X | X | | | | Mark BAS lodged | X | X | | | | Create BAS draft for client | X | X | | | | Send engagement letter | X | X | | | | Engagement letter templates | X | X | | X | | Tags | X | X | | X | | Branding | X | | | X | | Custom domain | X | | | X | | Add / remove staff | X | | | X | | Change a staff member's role | X | | | |

The principal can promote/demote any non-owner member from Settings → Members. The owner row is locked (can't be demoted out of principal or removed via UI).

What staff can see

A staff member's view splits into three buckets:

1. The practice surface — workflow queues, client roster, BAS approvals, engagement letters, messaging, settings (members tab read-only for non-owners)
2. Each client's data — only what the client granted (read-only by default; e.g. tax / income / transactions)
3. Their own personal Frank account — staff get a strict practice-only account by default. They have no personal entities, no Frank chat for themselves, no /money, /wealth, /tax surface

Staff who want a personal Frank account too

If a staff member wants their own personal Finance Frank — to track their own finances — the practice owner adds them as a client of the practice (uses one of the N seat allowances). This cleanly separates the two roles: practice membership grants firm-side access; client membership gives them personal Frank.

What staff CANNOT see

• The practice owner's personal Frank data (RLS-isolated to the owner's user_id)
• Clients of OTHER practices (RLS-enforced)
• Each other's personal data (different user IDs, different RLS scopes)

Removing a staff member

Settings → Members → Remove. The auth user remains (they keep the account); only the practice membership is severed. Their access to all clients of the practice ends immediately.