Access in Regnora works at two levels. At the **organisation** level, every person has a role that governs what they can do. At the **project** level, access controls which projects each person can reach. Together they let you keep a client engagement or a draft assessment walled off from the rest of the organisation.

## Organisation roles

Members are managed on the **Members** page, where each person has one of four roles:

- **Owner** — full access to the organisation, including everything below. Only an owner can grant the owner role.
- **Admin** — manages the organisation and its members, and invites people.
- **Member** — a regular member with everyday access.
- **Viewer** — read-only access.

Owners and admins of the organisation automatically have access to every project in it; that's part of what their role grants.

**Manage:** [Members](https://app.regnora.com/members)

## Inviting members

From the Members page, **Invite member** sends an email invitation. You'll see pending invitations and can manage them there, and you can change a member's role or remove them as your team changes.

## Contributor seats

Separately from their role, members can hold a **Contributor** seat. Contributors can run gap analyses and spend credits, while other members can still view and collaborate. The Members page shows how many contributor seats are in use (for example, "3 of 5 contributors"), and you assign or unassign a seat independently of the person's role.

## Project access

Project access is straightforward: a person either has access to a project or they don't. Organisation owners and admins have access to all projects automatically; everyone else needs to be added to a project explicitly. You manage who's on a project from its **Team** page, which lists the project's members and pending invitations.

## Guests

You can invite someone from outside your organisation to a **single** project — a client, an auditor, a partner — without giving them access to anything else. They're invited by email to that one project and see only it, which is what makes an external project a safe place to share evidence.

## Resetting a member's MFA

Admins can help members who are locked out of [two-factor authentication](/guides/org-settings-and-security/#multi-factor-authentication): from the Members page you can clear a member's MFA lockout or trigger an MFA reset for them.