Access Management

Access Management is the central screen for managing user accounts, groups, roles, and access settings. Everything that decides who can do what in OTS Signs lives here.

Where to find it: sidebar → Admin group → Access Management.

How the page is organized

The page has five tabs across the top. Each tab uses an icon and a label so you can find it quickly.

Tab	What it covers
Users	Individual user accounts. Invite people, deactivate them, reset passwords, and assign roles.
Groups	Named sets of users. Assigning a role to a group is usually easier than assigning it to each person.
Roles	Named sets of permissions. A role is what links “what someone can do” to a person or group.
Service Accounts	Accounts used for approved automation. Read-only here; OTS sets these up for you.
Settings	A short list of customer-wide options, such as how long the audit log is kept.

The current tab is remembered for your current visit. Switching tabs does not lose any work in dialogs that are still open.

Users tab

The Users tab lists every account in your organization, whether active or deactivated.

What the table shows

Column	Meaning
Name	Display name and username. Click the row to open the user detail panel on the right.
Email	Sign-in email. A small badge shows whether the address has been verified.
Status	`Active` (can sign in), `Inactive` (deactivated), or `Initial` (invitation not yet completed).
Roles	The roles currently assigned to this user. Hover the row for the full list when it’s truncated.
Last Sign-In	The most recent successful sign-in timestamp, or `—` if the user has never signed in.

The header above the table shows the total user count and a breakdown of active vs. inactive.

Inviting a new user

Click the + button in the top-right of the page.
Fill in:
- Username — used to sign in. Lowercase letters and numbers only.
- Display name — what other users see in the app.
- Email — where the invitation is sent.
Optionally select one or more roles to grant immediately.
Optionally type a personal message that will appear in the invitation email.
Choose how to finish:
- Send invitation (default) — emails the new user a one-time link to set their own password.
- Activate without invitation — creates the account and shows you a temporary password to share by another channel. Use this only when email is not an option.
Click Create.

The new user appears at the top of the list. If you sent an invitation, the Pending Invitations table at the bottom of the tab shows it as Pending until the user accepts.

Pending invitations

Below the user table is a separate Pending Invitations section. It shows invitations that still need attention, such as pending, expired, or cancelled invitations. Each row shows the email, the date the invitation was sent, when it expires, and its status:

Status	Meaning
Pending	Sent and waiting for the user to accept.
Expired	More than the allowed time has passed. Resend to refresh it.
Cancelled	An admin cancelled the invitation. The link no longer works.

Use the inline actions to resend an invitation or cancel it where applicable. Accepted invitations leave this table.

Working with an existing user

Right-click a user row to open the actions menu:

View details — opens a side panel with sign-in history, group membership, and direct role grants.
Edit — change display name or email. Username can’t be changed.
Reset password — generates a new temporary password and shows it once. Share it with the user securely.
Deactivate / Reactivate — turns sign-in on or off without deleting anything. Use this for staff who have left.
Delete — permanently removes the account. Audit-log entries created by this user remain.

You can also select multiple users with the checkboxes and use the bulk action bar that appears above the table to delete them in one go.

A note on passwords

OTS Signs does not store user passwords. When you “reset” a password, you are setting a one-time temporary password that the user must change at next sign-in.

Groups tab

Groups bundle users together so you can manage them as a unit.

Why use groups

If five people on the bakery team all need the same access, create a “Bakery Staff” group, give that group the role you want, and add the five users to it. Later, when someone joins or leaves the team, you only have to add or remove them from the group — their permissions update automatically.

Creating a group

Click the + button in the top-right.
Enter a name (required) and an optional description.
Click Create.

The group is created empty. To add members, open the group’s detail page from the table.

Managing a group

Right-click a group row for actions:

Open — go to the group’s detail page where you can add or remove members and assign roles.
Edit — rename the group or update its description.
Duplicate — create a copy with the same role assignments. You’ll be prompted for a new name.
Delete — remove the group. Members are not deleted, they simply lose any access they had only through this group.

System-managed groups

Some organizations may include groups created during setup. Treat unfamiliar groups carefully and confirm with an administrator before deleting them.

Roles tab

A role is a named bundle of permissions. Roles are how you grant abilities to users and groups.

How roles are organised

Roles are split into two types based on what they control:

Content roles govern access to layouts, media, playlists, displays, schedules, and other content objects. They are assigned via folder grants (see Folders) and determine what a user can do within a given folder.

Role	What it allows
Viewer	View and browse content. No changes.
Editor	Create and edit content. Cannot delete or manage sharing.
Manager	Full content lifecycle — create, edit, delete, and manage sharing.

Admin roles govern system-wide configuration, user management, and reporting. They are assigned directly to users or groups from this tab.

Role	Intended for
Operator	Operational access — reporting, display profiles, fonts, minor settings. No user or role management.
Admin	Full system configuration — users, groups, roles, audit log, settings, and all Operator capabilities.

Two additional roles (Customer Admin and OTS IT) exist for bypass-level access. Customer Admin is assigned by your organisation; OTS IT is reserved for the OTS support team. Both bypass all permission checks.

The Roles board groups custom roles by their derived capability tier — the system infers whether a custom role behaves like a Viewer, Editor, Manager, or Admin based on which permissions it includes.

System roles vs. custom roles

System roles are built-in and can’t be edited or deleted. Click any system role to see its full permission list in the right panel.

Custom roles are created by your organisation when the built-in roles don’t quite fit.

Creating a custom role

Click + Create Role.
Fill in:
- Display name — what people see (for example, “Menu Board Editor”).
- Description — what this role is for.
- Start from preset (optional) — pick a system role to copy its permissions as a starting point. This copies the permissions at creation time only; the new role is independent afterwards.
Click Create.

After creating the role, click it to open the capability panel on the right and toggle individual permissions on or off. Changes are saved automatically.

To rename or delete a custom role, use the pencil and trash icons in the role’s header.

Assigning an admin role

Admin roles (Operator, Admin) are assigned in two places:

On a user: Users tab → right-click a user → View details → Roles section.
On a group: Groups tab → open the group’s detail page → Roles section.

A user’s effective admin permissions are everything granted by any admin role they hold directly, plus every admin role granted to any group they belong to.

Service Accounts tab

Service accounts are accounts used by approved automation. They are not used by people.

This tab is read-only for customers. Each row shows:

Name — what the account is for.
ID — the account identifier.
Status — active or inactive.
Description — what this account does.

If you need a new service account or you suspect one has been compromised, contact OTS support.

Settings tab

System-wide options that affect how access rules work.

Setting	Default	Notes
Audit log retention	365 days	How many days of audit history to keep. Minimum 30. Older entries are removed automatically.

Changes here take up to 60 seconds to take effect. The note at the top of the panel tells you whether you have permission to change the values; if not, the inputs are read-only.

Common tasks

”I want to give Sarah the same access as the rest of the bakery team”

If a “Bakery Staff” group already exists, add Sarah to that group from her user detail panel. If not, create the group first, assign it the role(s) the team needs, then add Sarah and the others.

”I need to remove someone who has left”

Deactivate them first (Users tab → right-click → Deactivate). This stops sign-in but keeps their history intact for audit purposes. Delete them only when you’re sure you no longer need their record.

”I need a role that’s like Editor but can also delete content”

Create a custom role, click Start from preset → Editor, then toggle on the delete permissions you need. Assign the new role via folder permissions wherever you previously used Editor.

”I want to give someone access to layouts in one folder but not the rest”

Use Folder Permissions on that specific folder. Add the user or group, pick the Editor or Viewer role, and optionally restrict it to the Layouts asset type. They will only be able to see and act on layouts in that folder (and its sub-folders).