Adding and managing users

How to invite, manage, and remove people from your CashSheet silo — and what the user model actually looks like underneath.

← Back to Help Center

On this page

The two-level user model

A “user” in CashSheet actually has two parts that work together:

  1. Platform account — lives at accounts.cashsheets.com. One per person. Owns their email, password, name. Used for sign-in across every silo they belong to.
  2. Silo membership— links a platform account to a specific tenant's silo. Carries the user's role (admin or member) and the groups they belong to for permissions.

When you “add a user,” you're creating (or attaching) the platform account and creating a silo membership for them. When you “remove a user,” you're typically removing the silo membership — the platform account survives, so they can still sign into other tenants if they belong to any.

Inviting a new user

Invites are sent from the platform, not from inside your silo:

  1. Sign in at accounts.cashsheets.com as a tenant admin.
  2. Open the Wagtail admin (accounts.cashsheets.com/wagtail/) → Organizations → click your tenant.
  3. In the tenant detail page, scroll to Invites and enter the new user's email address.
  4. Click Send Invite. The platform emails a one-time invite link with a token good for seven days.
  5. The invited user opens the email, clicks the link, sets a password, and is automatically attached to your silo as a member.

By default the new user joins your silo with no role-based permissions. You'll need to add them to a group — see Roles and permissions — before they can access financial accounting features, the planning module, or the Ops Console.

First login (SSO flow)

The first time someone signs in, the flow goes through the platform so SSO can issue them a silo session:

  1. User visits accounts.cashsheets.com/login/ and signs in with their email and password.
  2. Platform validates credentials, then generates a signed HMAC SSO token (with the user's email, the tenant slug, a nonce, and a short expiry).
  3. Browser is redirected to {your-slug}.cashsheets.com/sso/callback/?token=....
  4. The silo validates the token, looks up (or creates) the matching local user, and creates a silo session.
  5. User lands on the silo dashboard. They can bookmark this URL — future logins can go straight to the silo and the silo will redirect to accounts if no session exists.

Sessions are scoped to their exact domain — there's no shared SESSION_COOKIE_DOMAIN. Each silo has its own session cookie. Cross-tenant access is gated by re-running the SSO flow, not by sharing cookies.

Username or email sign-in

As of the June 2026 release, the silo login form accepts either the username or the email address in the “Username or email” field. The custom auth backend tries email first (case-insensitive), then falls back to username matching.

This matters in a few scenarios:

  • Users who've forgotten which one they signed up with can use whichever they remember.
  • Email changes on the platform side don't break sign-in for people who learned their username.
  • If two users share the same email (rare, but possible during migrations), the system falls back to exact-username matching to disambiguate.

Removing a user

Two flavors of removal, depending on what you actually want:

Remove from this silo only

User loses access to your tenant but keeps their platform account and any other tenant memberships.

Wagtail admin → Organizations → your tenant → Memberships → Remove on the row.

Delete the platform account

Deletes the user's account entirely. They lose access to every tenant they belonged to. Use sparingly — this is typically reserved for ex-employees who've fully left.

Platform admin → Users → select user → Delete user.

In both cases the silo retains audit-log entries authored by the removed user (so you can still trace who did what). The user identity is preserved on historical records — only their ability to sign in is revoked.

Multi-facility access

If your silo has multiple facilities (e.g. BLYTHE, WAGYU-CA, COSMOS), users can have access to some or all of them. Access is granted via fac_auth rows in the silo's database — typically managed through the Ops Console.

To grant a user access to a facility:

  1. Sign in to your silo as an Ops Console admin.
  2. Open Ops Console → Users, find the user, click their row.
  3. In Facility Access, check the facilities they need.
  4. Save. Effects are immediate — the user's next page load will reflect the new access.

Multi-facility users can switch between facilities from the top-right facility selector in the silo UI. The default facility is whichever was set on their user profile (usually the first one they were granted access to).

Password reset

Self-serve at accounts.cashsheets.com/login/Forgot password. The platform emails a one-time reset link valid for one hour. Resetting on the platform side is enough — silo logins use SSO, so they pick up the new credential automatically.

If a user reports they aren't receiving the reset email, check (in order): their spam folder; whether the email on their platform profile is current; whether your organization's email gateway is filtering [email protected]. Tenant admins can also trigger a password reset on a user's behalf from the Wagtail admin if a self-serve reset is blocked.

Related reading