Managing Users
OpenBoxes Lift makes it straightforward to control who has access to your account and your OpenBoxes instance. All user management happens from the Users section of the portal at app.openboxes.cloud.
User Limits by Tier
Each plan includes a set number of users. These limits apply to the total number of active users on your Lift account.
| Plan | Included Users | Additional Users |
|---|---|---|
| Shared | Up to 10 | Not available --- upgrade to Dedicated |
| Dedicated | Up to 50 | Available as an add-on |
| Enterprise | Unlimited | Included |
You can see your current user count on the dashboard and on the Users page.
Inviting Users
To add someone to your Lift account:
- Go to Users in the portal sidebar
- Click Invite User
- Enter the person's email address
- Select a role (see below)
- Click Send Invitation
The invited person receives an email with a link to create their Lift account. Once they accept, they can sign into the portal and launch OpenBoxes using SSO.
Invitation Details
- Invitations expire after 7 days. You can resend an invitation from the Users page if it expires.
- The invited user creates a password during signup (or uses their existing identity provider credentials on Dedicated and Enterprise tiers).
- Invitations count toward your user limit immediately. If you are at your limit, you need to remove a user or upgrade your plan before sending a new invitation.
User Roles
Every user on your Lift account has one of three roles. These roles control what the user can do in the Lift portal --- they are separate from roles within OpenBoxes itself.
| Role | Portal Access | Manage Users | Manage Billing | Launch OpenBoxes |
|---|---|---|---|---|
| Admin | Full access | Yes | Yes | Yes |
| Manager | Limited access | Yes | No | Yes |
| Browser | View only | No | No | Yes |
Admin
Full control over the Lift account. Admins can invite and remove users, change roles, manage billing, configure SSO, and adjust all account settings. The person who created the account is automatically an Admin.
Every account must have at least one Admin.
Manager
Managers can invite users, remove users, and change roles, but they cannot access billing or account-level settings. This role is ideal for team leads who need to manage their group's access without handling payments.
Browser
Browsers can view the portal dashboard and launch OpenBoxes, but they cannot make changes to the Lift account. This is the right role for most end users who simply need to use OpenBoxes.
Changing a User's Role
- Go to Users in the portal sidebar
- Find the user in the list
- Click the role dropdown next to their name
- Select the new role
Role changes take effect immediately. If you downgrade someone from Admin to Browser, they lose access to admin features on their next page load.
Removing Users
To remove a user from your Lift account:
- Go to Users in the portal sidebar
- Find the user you want to remove
- Click the Remove button (trash icon)
- Confirm the removal
What Happens When a User Is Removed
- Their access to the Lift portal is revoked immediately
- Their SSO session is terminated, so they can no longer launch OpenBoxes
- Their user account in OpenBoxes is deactivated (not deleted) --- this preserves audit trails and data integrity
- Any data they created in OpenBoxes (purchase orders, shipments, etc.) remains intact
- The user slot is freed up, and you can invite someone new
Removing a user does not delete their historical activity. OpenBoxes maintains a complete record of all actions for accountability.
Bulk Operations
For accounts with many users, the Users page supports:
- Search --- Filter users by name or email
- Sort --- Sort by name, role, or date added
- Export --- Download your user list as CSV
SSO and External Identity Providers
On [Dedicated] and [Enterprise] tiers, you can connect an external identity provider (Okta, Azure AD, Google Workspace, etc.) so users sign in with their existing corporate credentials. When SSO is configured:
- Users do not need a separate Lift password
- New users are provisioned automatically on first login (if auto-provisioning is enabled)
- Deactivating a user in your identity provider also revokes their Lift access
See Single Sign-On for setup instructions.
Best Practices
- Use the Browser role for most users. Only grant Admin or Manager to people who need to manage the account.
- Review users periodically. Remove users who have left the organization or no longer need access.
- Keep at least two Admins. This ensures someone can manage the account if one Admin is unavailable.
- Use SSO on Dedicated and Enterprise. Centralized identity management is more secure and easier to maintain than individual passwords.