Skip to content

User Management & Security

This guide covers how primary account holders manage their team in Aliveo AI: inviting users, enabling/disabling access, enforcing two-factor authentication, and the step-up auth flow that protects sensitive actions.

Who can do what? Only primary account holders see the user management surface. Secondary users still get to use the platform—they just don’t administer team membership.

Roles

Aliveo distinguishes between two user types:

  • Primary user — the account administrator. Connects integrations, sets context, invites secondary users, controls 2FA enforcement and Slack settings.
  • Secondary user — a teammate added under a primary account. Has access to the same workspaces, chats, dashboards, and automation agents (subject to read-only or shared modes), but cannot manage other users.

If your workspace is configured with SSO/SAML, your identity provider is the source of truth—team members appear with an SSO badge and most local edits are disabled.

Inviting a Team Member

  1. Open My Account → User Management.
  2. Click Add User.
  3. Enter the new user’s email address (and, optionally, name).
  4. Confirm. You’ll be asked for a one-time email code as step-up authentication (see below).
  5. The user receives an email invite. Until they accept, their status shows Invited.

Once accepted, their status flips to Active and they can log in.

:material-domain-off-outline: On workspaces gated for specific enterprise tenants (e.g. SSO-only deployments), the User Management page is hidden and team membership is managed via the customer’s identity provider instead.

Disabling and Re-enabling Users

Instead of deleting users (which would orphan their chats and saved workflows), Aliveo uses disable / enable toggles:

  • Disable — revoke access immediately. Their chats, dashboards, and shared agents remain available for the rest of the team, but they can no longer sign in.
  • Enable — restore access. Their previous content is exactly as they left it.

Both actions require a fresh one-time email code (step-up auth). Disabled users carry a Disabled badge in the team table.

The team table also supports search, status filtering, and a Refresh button to force-reload the membership list.

Two-Factor Authentication (2FA)

Personal 2FA setup

Any user can enable TOTP-based 2FA from My Account → Personal Account → Two-Factor Authentication:

  1. Click Set up 2FA.
  2. Scan the QR code with your authenticator app (Google Authenticator, 1Password, Authy, etc.).
  3. Enter the 6-digit code shown by the app to confirm.
  4. Save.

From then on, every login requires the 6-digit code in addition to your password.

Org-wide 2FA enforcement

Primary users can require 2FA for every member of the team:

  1. Open My Account → User Management.
  2. In the Two-Factor Authentication card, toggle Enforce 2FA.
  3. Confirm with the email OTP prompt.

Once enforcement is on:

  • Users who already have 2FA continue logging in normally.
  • Users without 2FA are redirected to a Setup 2FA Required screen on their next login and must complete TOTP setup before they can access the app.

Step-Up Authentication (Email OTP)

Some actions are sensitive enough that a regular login session is not enough. Aliveo asks you to re-authenticate with a one-time email code for these actions, even if you signed in minutes ago.

Step-up auth fires when you:

  • Invite, disable, or enable a user.
  • Toggle 2FA enforcement.
  • Change Slack “external users” settings.
  • Other sensitive admin operations.

The flow is:

  1. You attempt a sensitive action.
  2. A small Verify it’s you dialog opens.
  3. We email you a one-time code (valid for a few minutes).
  4. You paste it back into the dialog.
  5. The original action proceeds.

If you cancel the dialog, nothing changes—the action is aborted. If the code expires, you can request a new one without re-doing the original action.

The User Management page also surfaces a Slack card with the following toggle:

  • Allow Non-Aliveo Users to invoke @Aliveo AI in Slack — when on, anyone in your Slack workspace (not only users with Aliveo accounts) can mention @Aliveo AI to generate insights. When off, only people in your Aliveo workspace can use the bot.

Changes require email OTP re-authentication.

See Slack Integration for the full Slack setup.

Personal Account Settings

Each user has their own Personal Account page (My Account → Personal Account) with:

  • Personal Details — name, photo, contact info.
  • Two-Factor Authentication — TOTP setup.
  • Change Password — for non-SSO accounts.
  • Preferences — default line of business and the sub-accounts you want highlighted on landing.
  • API Keys — generate keys for programmatic access (enterprise plans).
  • Communication Settings — opt-in/out of product update emails (gated to specific deployments).

Hidden Tenant Hardening

A few enterprise hardening rules you should know exist but won’t see in the UI:

  • Aliveo employee accounts (@aliveo.ai) are hidden from customer admin views unless the primary user is also @aliveo.ai. Customer teams only see their own people.
  • For specific enterprise deployments, navigation items (e.g. User Management itself) are gated behind SSO flags configured at provisioning time.

If your team needs special handling, talk to your Aliveo contact.

Audit Trail

Sensitive admin actions (invites, enable/disable, 2FA enforcement, Slack permission changes) are logged. If you need to retrieve an audit record—who did what, when—reach out to your Aliveo contact.

For the encryption, isolation, and compliance posture behind these features, see Security and Privacy.