Organizations

Invites and onboarding

Organization onboarding in Tragentics is explicit. The admin chooses an email, chooses permissions, chooses access scope, and then sends an invite. There is no silent “everyone in the company gets full access” shortcut.

Sending an invite

The Invite Member dialog asks the admin for three required things:

  • the recipient's email address
  • at least one enabled permission
  • an explicit access scope

The send button stays disabled until all three are present. Tragentics does not default a member to “all access” or to an empty no-op permission set.

Invite lifetime is 1 hour. Tragentics allows only one active pending invitefor the same organization/email pair at a time, and caps invite attempts at 3 per rolling 1-hour windowfor that same pair.

Existing users vs future users

The invite flow works whether the recipient already has a Tragentics account or not.

If the user already exists

Tragentics stores the invite and sends an in-app notification so the user can review and accept it from inside the product.

If the user does not exist yet

Tragentics still stores the invite against that email. When the person eventually signs up with the same email address, the pending invite is waiting for them.

The onboarding surface is email-address-first, not account-id-first. That makes admin invite workflows work before the recipient even creates an account.

Pending invites

Pending invites appear in two places:

  • for admins, inside the organization Members tab under Pending Invites
  • for recipients, through the pending invite experience when they have not yet accepted or declined

Pending invites include the email, permission set, access scope, creation time, and expiration time.

A pending invite is considered active only while its status is pending and its expiration time is still in the future. Once the 1-hour window passes, Tragentics normalizes that invite to expired and it no longer blocks a resend.

The original invite notification stays in the user's history. When the invite expires, Tragentics adds a separate notification telling the recipient that the invitation is no longer valid.

Accepting an invite

Accepting an organization invite does more than flip a status flag. It creates the actual organization membership boundary for that user.

On acceptance, Tragentics:

  • creates the member record
  • creates the member access-scope rows
  • sets the user's active organization context
  • marks the invite as accepted

That acceptance path is treated as a context transition because the user now has a live org view available to them.

If the invite is already expired by the time the user tries to accept it, Tragentics rejects the action and requires the admin to send a new invite.

Declining an invite

Declining an invite does not create any organization membership rows and does not change active context. It closes the invite immediately and keeps the user out of the organization.

A decline also counts as one invite attempt inside the same rolling 1-hour rate window. That means an admin can resend if needed, but repeated decline/resend loops are still bounded by the 3-invites-per-hour rule.

Resend and anti-spam rules

Tragentics is intentionally strict about re-invites so organizations cannot spam the same address while still leaving room for legitimate retries.

  • while an invite is still pending, the admin cannot send another one for that same organization/email pair
  • once an invite is declined, it stops being active immediately and a resend is allowed if the rolling 1-hour limit has not been reached
  • once an invite expires, it stops being active immediately and a resend is allowed if the rolling 1-hour limit has not been reached
  • after 3 invite attempts in the same rolling 1-hour window, Tragentics blocks additional sends until the window moves forward
The rolling limit applies whether earlier invites were declined or expired. Expiry and decline close the current invite, but they do not erase the recent-attempt history used for anti-spam enforcement.

SSO-aware invites

If the organization has SSO enabled and the admin enters an email address on the configured domain, the invite dialog gives an SSO hint. That does not replace the invite. It just tells the admin that the user will also be able to sign in through the organization's identity provider.

Next

After a member accepts, the most important concept is context: organization context and switching →