Skip to content
SteadyOn

Roles and Permissions

SteadyOn has three roles within an organisation. Every user has exactly one role.

The three roles

Section titled “The three roles”

Owner

Section titled “Owner”

There is exactly one Owner per organisation. The Owner is typically the business owner or managing director. The Owner:

  • Has full access to everything in SteadyOn
  • Is the only person who can delete the organisation entirely
  • Cannot be removed by Admins or other members — only by contacting SteadyOn support
  • Is responsible for the organisation’s subscription and billing (future)

Admin

Section titled “Admin”

Admins are the operational safety managers and team leaders who actively manage the safety system. An Admin:

  • Has full read/write access to all safety data (hazards, incidents, actions, inspections, training, documents)
  • Can invite new members and set their roles
  • Can remove members (but not the Owner)
  • Can change other members’ roles (but not the Owner’s)
  • Is the only role (along with Owner) that can mark a corrective action as Verified
  • Can configure organisation settings and notification thresholds

You can have as many Admins as you need.

Member

Section titled “Member”

Members are workers and team members who need to participate in safety reporting but do not need management access. A Member:

  • Can view all safety data (hazards, incidents, actions, inspections, training, documents)
  • Can report new hazards and incidents
  • Cannot edit or delete any existing records
  • Cannot invite or manage other members
  • Cannot change organisation settings

Why this role structure?

Section titled “Why this role structure?”

The three-role structure reflects a common pattern in small organisations:

  • One owner — there needs to be one person ultimately accountable for the safety system and the subscription
  • Several admins — typically the H&S officer plus department managers; they need to manage records, not just read them
  • Many members — the broader workforce who should be able to report hazards and incidents, but should not have the ability to accidentally delete records or change settings

This is deliberately simpler than enterprise safety software, which often has dozens of configurable permissions. For a small organisation, complexity in permission settings leads to misconfiguration and support problems.

Who should be an Admin?

Section titled “Who should be an Admin?”

Consider making the following people Admins:

  • Your health and safety officer or manager
  • Department or site managers who will own hazards and actions in their area
  • Any manager who conducts workplace inspections
  • Office managers who maintain training records and documents

Workers and general staff should typically be Members.

Sign-in security

Section titled “Sign-in security”

SteadyOn uses email one-time codes (OTP) for authentication — no passwords. Each sign-in sends a fresh 6-digit code to the user’s email address. This means:

  • There are no passwords to forget, reuse, or have stolen
  • A code is only valid for a few minutes
  • If someone loses access to their email, they lose access to SteadyOn — this is the intended behaviour

Invitation flow

Section titled “Invitation flow”

When you invite someone:

  1. They receive an email with a sign-in link
  2. They click the link, which takes them to the SteadyOn sign-in page
  3. They enter their email to receive a code
  4. They enter the code and are automatically added to your organisation with the role you assigned

If someone is already a SteadyOn user (in another organisation), they cannot join yours — each user belongs to exactly one organisation. They would need to use a different email address.