Every signed-in FieldCred user on your tenant currently has full administrative rights — the ability to add, edit, and delete any worker, change any site, and update tenant settings. There is not yet a separate "gate-only" or "safety officer" login with restricted permissions, even though finer-grained roles are on the roadmap.

What this means practically: treat every FieldCred login you hand out as a full-admin credential. Don't rely on the app itself to enforce least-privilege between staff members yet — if you need to limit who can delete records or change settings, that has to be a process/trust decision on your end for now, not something the app restricts.

What doesn't require a login at all

This only applies to staff who sign in to the Directory/Admin side of the app. Gate staff and workers using the normal day-to-day flows — scanning a badge at a gate (/gate/:slug, /r/:slug), or a worker sharing their own record — never need a FieldCred account. Those pages are public by design; the roles distinction above is specifically about anyone with a login to the staff-facing app.

See How your data is isolated from other tenants for the separate (and much stronger) boundary that does exist today — between your tenant and every other FieldCred customer's data.