Every signed-in FieldCred user on your tenant currently has full administrative rights — the ability to add, edit, and delete any worker, change any site, and update tenant settings. There is not yet a separate "gate-only" or "safety officer" login with restricted permissions, even though finer-grained roles are on the roadmap.
What doesn't require a login at all
This only applies to staff who sign in to the Directory/Admin side of the app. Gate staff and workers using the normal day-to-day flows — scanning a badge at a gate (/gate/:slug, /r/:slug), or a worker sharing their own record — never need a FieldCred account. Those pages are public by design; the roles distinction above is specifically about anyone with a login to the staff-facing app.
See How your data is isolated from other tenants for the separate (and much stronger) boundary that does exist today — between your tenant and every other FieldCred customer's data.