Procedure for onboarding a new firm staff user — invitation, role assignment, client allocation, vault access, integration scoping. Covers both the technical setup AND the operational handoff so the new staff member can be productive day-1.

- Firm hires new tax preparer / bookkeeper / audit staff / manager / admin - Existing user role changes (promotion, scope change) - Contractor staff added with limited-time access - Re-activating a previously deactivated user

- Primary owner: Firm Admin (OWNER or ADMIN role) - Department head (Tax Manager / Accounting Manager / Audit Manager): defines client allocation - Engagement Partner: signs off on partner-level access if applicable - New staff member: completes self-onboarding (sets password, configures profile)

- Firm Profile complete (Settings → Firm Profile) - Subscription tier supports the additional user (Accounting Only/Tax = 5 users; All-In-One = unlimited) - Email integration connected (M-025) so welcome email reaches new user - Department head has list of clients to allocate

1. Settings → Users & Roles → "+ Invite User" (M-036) 2. Enter email + select role from 6 firm-level options: - OWNER (firm owner, full control, only one) - ADMIN (operational admin, full settings access) - PARTNER (engagement partner, signs off on reports/returns) - MANAGER (oversees teams, allocated clients) - STAFF (preparer/bookkeeper/auditor — assigned-client only) - VIEWER (read-only on assigned clients) 3. Configure module permissions (per Module 3 — module-based + client-based, NOT firm-flat): which modules visible (Tax / Accounting / Audit / Compliance / etc.) 4. Click Send Invite → user receives email with link to set password 5. New user clicks link → sets password (must meet complexity: min 10 chars, upper/lower/num/special per CC6.1) → lands in app 6. Department head allocates clients: open each relevant Client → assign new user via assignee dropdown (drives "allocated client" count for that user, NOT "total client" count per design intent) 7. For new tax preparers: allocate Q&A access for their assigned clients; configure tax software target preference if firm has multiple (Drake vs Lacerte vs etc.) 8. For new bookkeepers: grant Vault access for assigned clients (M-027); add their name to the recurring-task pool for monthly close 9. For new audit staff: assign workpaper sections (A-J) per upcoming engagement 10. Verify new user can sign in: Settings → Active Sessions list shows their session; AuditLog row for "USER_LOGIN" event (M-004) 11. Set per-staff hourly rate per service type (Settings → Billing → Staff Rates per Module 31): Tax Prep / Audit / Accounting / Advisory / Admin — different rates per type 12. Add to internal chat channels (#general, #tax, #audit per relevance — M-033); send welcome message + introduce to team 13. Schedule first-day orientation: walk through Setup Wizard (Help → Setup Guide), key SOPs, escalation paths 14. Optional: add to Calendar booking-link config (M-034) if client-facing (allow clients to book meetings directly)

- If contractor with limited-time access: set expiresAt on access (NOT EXPLICITLY DOCUMENTED at user level but possible via deactivation date in Notes); deactivate manually at end - If staff role transitions UP (e.g. Staff → Manager): edit role; re-evaluate client allocation; update Vault access scope - If staff role transitions DOWN: edit role first; re-allocate clients away from user; preserve historical data - If multi-firm advisor (single user serving multiple firms): NOT EXPLICITLY DISCUSSED in module spec; flag for design follow-up - If staff leaves firm: see "Deactivate user" path below in Edge Cases

- Deactivate user (departure / leave): Settings → Users → Deactivate; user can no longer log in; assigned clients reassigned manually; AuditLog entries preserved with their userId - Force re-auth: Settings → Users → Force Re-Auth → invalidates all sessions for that user (security event) - Account lockout after 5 failed logins (CC6.6 per Module 37): 15-minute auto-unlock; if client-facing concern, admin can manually unlock - Permission UI vs API mismatch (antipattern): UI may render buttons that API rejects — flag if user reports "I see the button but it doesn't work" - Vault access without master password setup: new user must set up Vault master password separately (one-time setup) before accessing credentials

- Time from invite sent → user signed in successfully: target <2 business days - Client allocation 100% complete before first engagement assignment - Vault master password set up before assigned client work begins (no work blocked by missing creds) - Hourly rates configured before first time entry logged (otherwise rate fallback to demo $200/hr)

- Modules: M-001 Auth · M-003 RBAC · M-008 Clients · M-027 Vault · M-031 Time Tracking · M-036 Settings · M-033 Chat · M-034 Calendar · M-004 AuditLog - SOPs: SOP-010 (integration setup — if new user needs to connect email) · SOP-011 (branding setup — if new admin) · SOP-012 (compliance evidence)

- 11 total roles per Module 3: 4 platform-level (SUPER_ADMIN / PLATFORM_ADMIN / PLATFORM_SUPPORT / PLATFORM_BILLING) + 6 firm-level (above) + 1 external (CLIENT) - "User can only see what they're assigned for" — assignment-driven visibility (design intent); allocation drives Dashboard counts - Performance section is OWNER-only; Revenue not on Dashboard at all (moved to Reports) - Browser Extension (M-028) for Vault auto-fill: optional but recommended — install per browser; user logs in with their JWT