Skip to Content
Welcome to the Novantra documentation.
GuidesWorkspace administrationMembers & Invitations

Members & Invitations

Anyone who can sign in to your workspace is a member of your organization. This page explains how people become members, what they must do before they can use the workspace, and how to remove them.

Settings live under Settings → Users.

Inviting someone

Inviting is the only way to add a member. There is no direct create-account-for-someone-else flow inside the product.

To invite:

  1. Open Settings → Users.
  2. Enter the person’s email address and pick the role they should have. See Roles & Permissions for what each role can do.
  3. Click Invite.

The invited person receives an email with a one-time link. If mail isn’t configured, the invitation will appear in the users list but no email will be delivered — they’ll have nothing to act on.

What the invitee does

When the invited person clicks the link, they:

  1. Choose a password.
  2. Enroll in multi-factor authentication. This is required; they cannot skip it. They scan a TOTP QR code (Google Authenticator, 1Password, Authy, etc.) and confirm a one-time code.
  3. Land in your workspace as an active member.

Email-domain restrictions

If your organization has set the allowed email domains setting, invitations to any other domain are rejected before the email is sent. This is useful for organizations that want to prevent admins from accidentally inviting personal Gmail addresses for example. Configure it in the organization settings.

The invitation lifecycle

Every membership row goes through these states:

StateMeaning
PendingInvitation issued. The invitee hasn’t completed signup yet. Counted against your seat usage.
ActiveInvitee completed signup, enrolled MFA, and can sign in.
RevokedMembership ended. The person can no longer sign in to this organization. Their audit-log footprint is preserved.

You can re-invite a revoked person. They go back through the Pending → Active flow as if it were the first time.

Invitation expiry

Invitations don’t sit open forever. If a pending invitation isn’t accepted within the configured window, it expires and the invitee’s link stops working. You can issue a fresh invitation to the same email.

Revoking a pending invitation

If you invited someone in error, revoke the invitation immediately. From the users list, find the pending entry and click Revoke. The link in the email stops working at that moment.

Removing an existing member

When someone leaves the organization, deactivate their membership:

  1. Open Settings → Users and find the member.
  2. Click Deactivate.
  3. Provide a reason (audited).

What happens immediately:

  • They can no longer sign in to this organization.
  • Their active sessions are terminated.
  • Their MFA enrollment is preserved (so re-invitation is fast), but it has no effect while deactivated.

What stays:

  • Every audit-log entry they ever generated. You can still see what they did before being deactivated.
  • Any artifacts (uploaded files, form responses) they created. Those belong to the organization, not the user.

Deactivation is a workspace-level action, not an account-deletion action. The Novantra user account itself (which is global to all workspaces a person belongs to) is not destroyed. To request full account removal, the user themselves contacts Novantra support.

MFA enforcement

MFA is always required. There is no per-org switch to disable it, and there is no per-user opt-out.

  • New members must enroll MFA during signup before they can reach the workspace.
  • Existing members cannot turn it off.
  • If a member loses their MFA device, an admin must reset their MFA from the users list. The next sign-in puts them back through enrollment.

This is intentional — the product never allows a member to bypass MFA, because doing so would undermine every audit guarantee underneath.

Members vs install admins (Sovereign)

In Sovereign there are two distinct admin populations:

  • Organization admins are members of an organization with the admin role. They manage that organization (users, roles, audit, settings).
  • Install admins are not members of any organization. They manage the install itself (creating organizations, licensing, mail, infrastructure). They cannot sign in to a workspace as a member without being explicitly invited as one.

The separation is deliberate: the people who run the infrastructure are not automatically the people who can read the data inside it.

Single sign-on (SSO)

Not yet available. All members today sign in with email + password + MFA. SSO with SAML or OIDC is on the roadmap; check release notes when it ships.

Last updated on
OrganizationRoles & Permissions