Teams.

How to collaborate securely in Vericto: roles, invitations, granular access, and enterprise SSO for engineering teams.

Overview

A workspace in Vericto is the container for all of an organization's databases, rules, API keys, and notifications. The team is the set of people with access to that workspace, each with a role that defines exactly what they can see and change.

The permissions model is simple: four roles, clear hierarchy, no exceptions. Permission changes take effect immediately across the platform — no need to sign out.

Each workspace has a single owner. Ownership can be transferred by contacting support. All other roles (admin, member, viewer) are assignable and revocable by the owner or any admin.

Roles and permissions

Vericto defines four roles. Each role has a fixed set of permissions — there are no individual granular permissions to select:

Role Who should have it Can do Cannot
Owner The account founder or the technical lead of the organization. One per workspace. Everything: change the plan, manage the full team, act on admins, transfer ownership.
Admin Tech lead or DBA responsible for security configuration. Manage databases, rules, API keys, notifications, and members/viewers. Invite new members. Act on other admins or the owner. Change the billing plan.
Member Team engineers who need to view and manage the audit trail and queries. View the dashboard, queries, audit trail, rules, and export data. Create or modify rules, databases, API keys, or manage the team.
Viewer External auditors, compliance officers, or non-technical stakeholders. View the dashboard and audit trail. Read-only. Any write or configuration action.

Admins cannot manage other admins. To promote or demote an admin, the owner must do it directly. This prevents horizontal privilege escalation without owner oversight.

Invitations

Owners and admins can invite new people to the workspace. The process is:

  1. Go to Dashboard → Team and enter the invitee's email and the role they will have.
  2. Vericto sends an invitation email. If the email doesn't arrive, copy the invitation link directly from the UI and share it via Slack or email.
  3. The invitee accepts the invitation and chooses (or creates) their password. The link expires in 48 hours.
  4. Once accepted, the new member appears as Active in the team list.

Pending invitations

While an invitation is pending acceptance, the member appears with Pending status. You can revoke it at any time from the team list. If the invitee did not receive the email, copy the link from the same row and send it manually.

Enterprise SSO (OIDC)

On the Enterprise plan, you can configure SSO with any OIDC provider (Okta, Microsoft Entra, Google Workspace, etc.). With SSO active:

  • JIT provisioning: users from verified domains automatically join the workspace with the default role you configure, without a manual invitation.
  • Enforce SSO: you can require all members to sign in exclusively via SSO, disabling email/password login for workspace users.

SSO configuration is in Dashboard → Settings → Enterprise SSO. Only the owner can enable it.

Best practices for companies

Principle of least privilege

Assign the most restrictive role that meets the user's needs. Most engineers only need Member to review the audit trail and blocked queries. Admin should be reserved for those who configure rules, databases, or manage the team. Viewer is ideal for external auditors or management who need visibility without the ability to make changes.

The owner is the organization's account

Use a corporate email account (e.g. infra@company.com) — not the founder's personal account — for workspace ownership. If the owner leaves the company and the account becomes inaccessible, the transfer process requires identity verification. Avoid this friction by using a shared platform team account.

API key rotation

CI/CD API keys have their own permissions and are not tied to a specific user. When someone from the platform team leaves the company, rotate the active API keys from Dashboard → API Keys → Rotate. This does not require changes to the rest of the team.

Monitor team changes with the audit trail

Vericto records team management events in the audit trail: invitations sent, accepted, and revoked, and role changes. For organizations with SOC2 requirements, these records are direct evidence of access control. You can export them in CSV or JSON from Dashboard → Audit Trail → Export.

Periodic access reviews

Schedule quarterly team reviews in your workspace to detect unnecessary access. A suggested process:

  1. Export the member list from the audit trail or review it in Dashboard → Team.
  2. Identify accounts with Pending status for more than 48 hours — they were probably never accepted.
  3. Revoke access for people who are no longer on the team.
  4. Downgrade to Viewer those with Member role who have no recent dashboard activity.

Frequently asked questions

How many members can a workspace have?

There is no limit on the number of members on any plan. The limit applies to connected databases (1 on Free, 3 on Builder, 10 on Team, unlimited on Enterprise).

Can I have multiple workspaces?

Yes. You can create and belong to multiple workspaces with the same account. Use the workspace switcher in the dashboard sidebar to switch between them. Each workspace has its own team, plan, and billing.

What happens when a member accepts an invitation but already has a Vericto account?

The invitation is associated with their existing account. The member simply gains access to the new workspace — no duplicate account is created. Their other workspaces are not affected.

Can I reassign the Owner role to another member?

Ownership transfer requires contacting support (support@vericto.com) with identity verification from the current owner. It cannot be done from the dashboard UI for security reasons.

Can Viewer role members see the query text?

Yes. Viewers have read access to the audit trail, which includes query metadata (applied rule, status, latency) but not the full query text if the workspace has telemetry mode set to Sanitized. If set to Raw, the text is visible. Configure it in Settings → Telemetry privacy.