👥Team & Roles
Inviting teammates, assigning roles, scoping access by location, and managing permissions so the right people see the right things.
Inviting a teammate
Anyone with the Manager or Admin role can invite teammates. Each plan has a maximum number of users — see the Account & Plans chapter for the limits. Inviting a user does not consume a seat until they accept the invitation.
- Go to Settings → Team.
- Click "+ Invite User".
- Enter the email address (or paste a comma-separated list to invite many at once).
- Choose a role (see below).
- Optionally restrict the user to a specific facility, location, or equipment group — the user will only see assets within that scope.
- Optionally add skill tags (e.g. "Electrical", "PLC", "HVAC") — used by the auto-assignment engine.
- Click Send Invite.
Invitees receive an email with a one-time signup link. The link is valid for 7 days. You can resend or revoke it from the same screen. Re-sending updates the expiry to a fresh 7 days.
Built-in roles in detail
Myncel ships with five built-in roles. They cover the needs of most maintenance organizations. On the Professional and Enterprise plans you can also create custom roles with fine-grained permissions per feature area and action.
- Admin — full access including billing, team management, integrations, and audit logs. Typically the maintenance director or the IT/OT lead.
- Manager — full operational access; can configure schedules, approve work orders, view all reports, manage parts catalogs, and add/remove technicians. Cannot change billing or remove other admins.
- Technician — can view all equipment they are scoped to, view and update assigned (and self-claimed) work orders, log time and parts, complete checklists, scan QR codes, and create new work orders. Cannot delete records or change schedules.
- Operator — can view machines they run, report issues that turn into work orders, and complete simple inspection forms. Read-only on most other things. Designed for production staff who use Myncel maybe once a day.
- Viewer — read-only access across the workspace. Useful for executives, auditors, insurance reps, and external stakeholders. Cannot create, edit, or delete anything.
Custom roles and permissions
On the Professional plan you can compose custom roles by toggling permissions across feature area × action. Permissions are organized by feature area (Equipment, Work Orders, Schedules, Reports, Parts, Locations, Settings, Integrations, Billing) and action (View, Create, Edit, Delete, Approve, Export, Configure).
Common custom roles we see customers create: Reliability Engineer (read all + edit schedules + edit AI settings), Stockroom Manager (full Parts area + receive POs, no work-order edit), Vendor (view & update only the work orders assigned to them, no other equipment visibility), Compliance Auditor (read-only + export-only).
Single sign-on (SSO) and SCIM provisioning
Myncel supports SAML 2.0 single sign-on and SCIM 2.0 user auto-provisioning. Both are configured per-organization, so different tenants can plug into completely different identity providers — Okta, Azure AD / Entra ID, Google Workspace, OneLogin, JumpCloud, Ping, and any other standards-compliant IdP — without affecting each other. See the Integrations chapter, section "Single sign-on (SSO) and SCIM provisioning", for the full step-by-step walkthrough including the Okta and Azure AD recipes.
Once SSO is enabled and enforced, all non-OWNER users in your workspace must sign in through your IdP — password and Google sign-in are blocked for them. Owners can still password sign-in as a break-glass mechanism, which is the standard recovery path if the IdP itself goes down or the connection breaks. SCIM provisioning then handles the lifecycle: new hires created in the IdP appear in Myncel within seconds, role changes flow through, and deactivated employees are automatically deprovisioned.
- Owner / Admin opens /settings/sso and configures the IdP Entity ID, SSO URL, and X.509 signing certificate.
- Toggle "Enable SAML SSO" → save. The /signin page now offers a "Sign in with SSO (SAML)" button alongside password sign-in.
- For mandatory SSO, also toggle "Enforce SAML SSO". Owners are exempt as a break-glass.
- For SCIM auto-provisioning, mint a bearer token from the same /settings/sso page and paste it into the IdP's SCIM provisioning screen along with the SCIM 2.0 base URL shown at the top of the page.
- Group → role mapping is automatic when the IdP sends a "groups" attribute (configurable). Group names containing "owner", "admin", "tech", "operator", or "employee" map to the matching Myncel role; everyone else gets the configured default role (default: Member).
The full SP-side metadata XML is also exposed at /api/auth/saml/<your-org-slug>/metadata — most IdPs let you paste this URL once instead of typing the Entity ID and ACS URL by hand.
Audit log
Every meaningful action — sign-in, work-order edit, role change, billing change, integration credential update — is recorded in the audit log with timestamp, actor, IP address, and (where relevant) before/after values. Admins can browse the log from /admin/audit-logs and export to CSV. Logs are retained for 2 years.