Users & Roles
For: Admin, Manager
Your team's access to Tellus is controlled through a role-based permission system. Every user is assigned a role that determines what they can see, edit, and manage. The system is designed to match real-world EHS responsibilities — from the administrator who configures the platform to the employee who just needs to view their assigned chemicals and complete training.
Both Administrators and Managers can access the People & Permissions page, but what they see and can do is different. Administrators have full company-wide access, while Managers have scoped access limited to the site(s) they manage. See What Managers Can Do for specifics.
The Eight System Roles
Tellus includes eight predefined roles that cover the full range of EHS team structures. Each role comes with a specific set of permissions tailored to its responsibilities.
Administrator
Full system access. The Administrator manages everything — company settings, user accounts, billing, and all module features. Every company needs at least one Administrator. This is typically the business owner, office manager, or head of operations.
What Administrators can do:
- Manage all company settings (profile, sites, billing, branding, security)
- Invite, edit, and deactivate users
- Assign roles and manage permissions
- Access all modules across all sites
- Export data and audit logs
- View and manage billing and subscription
Manager
Site-level management and team oversight. Managers oversee day-to-day operations at one or more sites. They manage chemical inventory, approve imports, generate reports, and supervise their site's compliance status.
What Managers can do:
- View and edit chemical inventory at assigned sites
- Approve Quick Import submissions in the review queue
- Generate and export site-level reports
- View compliance dashboards for their sites
- Manage training assignments for their team
- View (but not edit) company-wide settings
Program Coordinator
OSHA-required HazCom program coordinator. Under 29 CFR 1910.1200, every employer with hazardous chemicals must designate a person responsible for the Hazard Communication Program. The Program Coordinator role in Tellus maps directly to this OSHA requirement.
What Program Coordinators can do:
- Create, edit, and approve Written HazCom Plans
- Monitor compliance status across all sites
- Coordinate training programs and ensure coverage
- Review and sign off on chemical inventories
- Manage SDS library and ensure SDS coverage
- Access compliance reports and audit documentation
During onboarding, Tellus asks you to designate your Program Coordinator — this is OSHA Step 1 of building your HazCom program.
Trainer
Training course creation and delivery. Trainers build safety courses, manage lesson content, create quizzes, and track employee completions. This role is ideal for dedicated EHS trainers, safety officers, or third-party training providers.
What Trainers can do:
- Create and edit training courses and lessons
- Build quizzes and assessments
- Assign training to employees
- View training completion reports and transcripts
- Manage certification records
- Access the SDS library (read-only) for course content
Employee
View-and-complete access. Employees are the most common role. They can view the chemical inventory at their assigned site, access SDS documents, complete assigned training, and view published HazCom plans. They cannot edit inventory, manage users, or change settings.
What Employees can do:
- View chemical inventory at their assigned site(s)
- Access and search the SDS library
- Complete assigned training courses and quizzes
- View their training history and certifications
- View published HazCom plans
- Update their own profile information
Viewer
Read-only access. Viewers can see company data but cannot modify anything. This role is useful for executives, auditors, or stakeholders who need visibility into the compliance program without editing rights.
What Viewers can do:
- View chemical inventory (read-only)
- View SDS library (read-only)
- View compliance dashboards and reports
- View published HazCom plans
- View training status summaries
Contractor
Limited site-scoped access. Contractors are external workers who need access to chemical and safety information at specific job sites. Their access is restricted to the sites they've been assigned to, and they can only view data — not edit it.
What Contractors can do:
- View chemical inventory at assigned sites only
- Access SDS documents for chemicals at their sites
- Complete assigned training courses
- View published HazCom plans for their sites
- View their own training history
Contractors cannot see data from sites they're not assigned to, and they have no access to AdminHQ settings.
Consultant
Multi-company admin access. The Consultant role is designed for EHS consultants, safety firms, and managed service providers who manage compliance programs for multiple client companies. A single Consultant login can access all client companies with administrator-level permissions in each.
What Consultants can do:
- Switch between client companies using the company selector in the header
- Full administrator-level access within each client company
- Manage chemical inventory, plans, training, and compliance across clients
- View cross-company dashboards
- Each client company's data remains completely isolated
See Switching Between Companies for how the company selector works.
Role Comparison Table
| Capability | Admin | Manager | Coordinator | Trainer | Employee | Viewer | Contractor | Consultant |
|---|---|---|---|---|---|---|---|---|
| Manage company settings | Yes | -- | -- | -- | -- | -- | -- | Yes |
| Manage users & roles | Yes | Site only | -- | -- | -- | -- | -- | Yes |
| Manage billing | Yes | -- | -- | -- | -- | -- | -- | Yes |
| Manage sites & locations | Yes | -- | -- | -- | -- | -- | -- | Yes |
| Edit chemical inventory | Yes | Yes | Yes | -- | -- | -- | -- | Yes |
| Approve imports | Yes | Yes | -- | -- | -- | -- | -- | Yes |
| View chemical inventory | Yes | Yes | Yes | Read-only | Yes | Yes | Site only | Yes |
| Manage HazCom plans | Yes | -- | Yes | -- | -- | -- | -- | Yes |
| Create training courses | Yes | -- | -- | Yes | -- | -- | -- | Yes |
| Assign training | Yes | Yes | Yes | Yes | -- | -- | -- | Yes |
| Complete training | Yes | Yes | Yes | Yes | Yes | -- | Yes | Yes |
| View compliance dashboards | Yes | Yes | Yes | -- | -- | Yes | -- | Yes |
| Export reports | Yes | Yes | Yes | Yes | -- | -- | -- | Yes |
| Multi-company access | -- | -- | -- | -- | -- | -- | -- | Yes |
People & Permissions Page
The People & Permissions page is organized into tabs. Which tabs you see depends on your role:
| Tab | Admin | Manager |
|---|---|---|
| Users | Yes | Yes |
| Roles & Permissions | Yes | -- |
| Delegation (Coming Soon) | Yes | -- |
| Sensitive Actions (Coming Soon) | Yes | -- |
Managers see only the Users tab and work within the scope of their assigned site(s). Administrators see all tabs and have full company-wide access.
User Management
Inviting Users
To add someone to your Tellus account, you send them an invitation:
- Go to AdminHQ > People > Users tab
- Click
Invite User - Enter their email address and full name
- Select a role
- Assign them to a site
- Click
Send Invite
The user receives an email with an invitation link that's valid for 7 days. Once they accept, they appear in your Users list with their assigned role.
You can invite someone who already has a Tellus account (for example, an EHS consultant who works with other companies). They won't need to create a new account — accepting the invitation adds your company to their existing login. See Accept an Invitation for what the experience looks like from the invited user's perspective.
Invite Differences by Role
| Capability | Admin | Manager |
|---|---|---|
| Invite new users | Yes | Yes |
| Assign the Administrator role | Yes | -- |
| Assign to any site | Yes | -- |
| Assign to their own site(s) only | -- | Yes |
| Assign company-wide access (no site) | Yes | -- |
| Add multiple role assignments | Yes | -- |
If you're a Manager assigned to a single site, the site is automatically selected when you invite someone — you don't need to choose it manually. If you manage multiple sites, you'll pick from the sites you're assigned to.
Managers cannot assign the Administrator role. If you need to invite a new administrator, ask an existing administrator to send the invitation.
See Invite a User for the full walkthrough.
Bulk Invite
You can invite multiple users at once by uploading a CSV file. Download the template, fill in email addresses, names, roles, and site assignments, then upload and review before sending.
See Bulk Invite Users for details.
Pending Invitations
Track outstanding invitations from AdminHQ > People > Pending Invites. You can see who hasn't accepted yet, resend expired invitations, or cancel invitations that are no longer needed.
Editing Users
Click any user in the Users list to update their information. What you can edit depends on your role:
| Capability | Admin | Manager |
|---|---|---|
| Edit name and phone number | Yes | Yes (non-admin users at their site only) |
| Change role assignments | Yes | -- (read-only view) |
| Change site access | Yes | -- |
| Deactivate / reactivate users | Yes | -- |
| Edit administrator accounts | Yes | -- |
Managers can update basic contact information (name and phone number) for non-administrator users assigned to their site(s). Role assignments are displayed as read-only — to change someone's role, contact an administrator. Managers cannot edit administrator accounts or deactivate any users.
Deactivating Users
When someone leaves your organization, deactivate their account rather than deleting it. Only Administrators can deactivate or reactivate users. Deactivated users:
- Can no longer log in
- Are removed from active user counts
- Retain their historical data (training records, audit trail entries)
- Can be reactivated later if they return
Site-Scoped Roles
A user's role can vary by site. For example, someone might be a Manager at your main warehouse but an Employee at your satellite office. This is especially useful for multi-site organizations where people have different responsibilities at different locations.
Site-scoped roles are configured from the user's detail page under Site Access.
What Managers Can Do
Managers have access to the People & Permissions page, but their view is scoped to the site(s) they manage. Here's a summary of what Managers can and cannot do:
Managers can:
- View users assigned to their site(s)
- Invite new users to their assigned site(s)
- Edit basic information (name, phone) for non-admin users at their site
- View role assignments for users at their site (read-only)
Managers cannot:
- See users at sites they don't manage
- Change anyone's role assignment
- Deactivate or reactivate users
- Edit administrator accounts
- Assign the Administrator role when inviting users
- Invite users company-wide (must assign to a specific site)
- Access the Roles & Permissions, Delegation, or Sensitive Actions tabs
This scoping ensures that Managers have the access they need to onboard and maintain their team, while sensitive operations like role changes and account deactivation remain under administrator control.
Roles & Permissions Tab
Admin only — This tab is not visible to Managers.
The Roles & Permissions tab in AdminHQ shows you exactly what each role can do. Permissions are organized by module (AdminHQ, ChemIQ, SafePath, Plan Builder) so you can see at a glance which roles have access to which features.
- View mode — See all permissions assigned to each role
- Search — Filter permissions by name or module
- Edit mode — Modify permissions for non-admin roles
The Administrator role always has all permissions and cannot be modified.
See Manage Roles and Permissions for more.
Delegation (Coming Soon)
Admin only — This tab is not visible to Managers.
The Delegation feature will allow administrators to grant temporary elevated permissions to users — for example, giving a Manager admin access for a week while the primary Admin is on vacation.
Sensitive Actions (Coming Soon)
Admin only — This tab is not visible to Managers.
Sensitive Actions will add extra safeguards around destructive operations like deleting chemicals, exporting data, or removing users. You'll be able to require confirmation steps or approval workflows for these actions.
Availability
All user and role management features are included on every Tellus EHS account ($99/month). Your plan includes up to 15 users.
Related Pages
- Organization Profile — Company details and identifiers
- Sites & Locations — Manage your physical facilities
- Security Settings — Login audit trail and access controls
- Accept an Invitation — For users who received an invite