Team Management

BlockchainAnalysis.io supports multi-user organizations with role-based access control (RBAC). Team management allows you to invite colleagues, assign granular permissions based on their function, and maintain a complete audit trail of all actions taken on your account.

Organization Structure

Every BlockchainAnalysis.io account belongs to an organization. The organization is the top-level container for all your data — customers, screening results, fund traces, SAR cases, monitoring rules, and billing.

Key concepts:

  • One organization per account — Each organization has its own data, settings, and billing
  • Multiple users per organization — Invite team members and assign roles
  • Shared data — All users within an organization share access to the same screening results, customer records, and reports (subject to role-based permissions)
  • Single billing entity — All usage across the organization is consolidated into one invoice

If your company operates multiple legal entities that require separate compliance programs (e.g., different jurisdictions with different regulatory obligations), you should create separate organizations for each entity. Contact support@blockchainanalysis.io to set up linked multi-organization billing.

RBAC Roles

BlockchainAnalysis.io provides six predefined roles, each designed for a specific organizational function:

Role Definitions

| Role | Description | Intended For | |---|---|---| | CLIENT | Standard user with access to core screening and monitoring features | Day-to-day users, customer-facing staff | | ADMIN | Full administrative access including organization settings, billing, and user management | Company administrators, CTOs, COOs | | ANALYST | Access to screening tools, fund trace, and SAR case creation (but not SAR approval) | Compliance analysts, junior compliance staff | | AML_OFFICER | Full compliance access including SAR approval, customer risk decisions, and regulatory reporting | MLROs, senior compliance officers | | TECH | API key management, webhook configuration, and integration settings | Developers, DevOps engineers | | BILLING | Billing, invoicing, and subscription management only | Finance team, accountants |

Role Permissions Matrix

The following table shows the detailed permissions for each role:

Screening and Investigation

| Permission | CLIENT | ADMIN | ANALYST | AML_OFFICER | TECH | BILLING | |---|---|---|---|---|---|---| | Run wallet screening | Yes | Yes | Yes | Yes | No | No | | Run name/entity screening | Yes | Yes | Yes | Yes | No | No | | Run KYT checks | Yes | Yes | Yes | Yes | No | No | | Initiate fund trace | No | Yes | Yes | Yes | No | No | | View screening history | Own | All | All | All | No | No | | Export PDF reports | Yes | Yes | Yes | Yes | No | No | | Batch screening | No | Yes | Yes | Yes | No | No |

Customer Management (KYC)

| Permission | CLIENT | ADMIN | ANALYST | AML_OFFICER | TECH | BILLING | |---|---|---|---|---|---|---| | Create customers | No | Yes | Yes | Yes | No | No | | View customer records | No | Yes | Yes | Yes | No | No | | Edit customer records | No | Yes | Yes | Yes | No | No | | Change customer status | No | No | No | Yes | No | No | | Approve/reject KYC | No | No | No | Yes | No | No | | View KYC documents | No | Yes | Yes | Yes | No | No |

SAR/STR Filing

| Permission | CLIENT | ADMIN | ANALYST | AML_OFFICER | TECH | BILLING | |---|---|---|---|---|---|---| | View SAR cases | No | Statistics only | Yes | Yes | No | No | | Create SAR cases | No | No | Yes | Yes | No | No | | Edit SAR cases | No | No | Own | All | No | No | | Approve SAR cases | No | No | No | Yes | No | No | | File SAR cases | No | No | No | Yes | No | No | | Delete SAR cases | No | No | No | Yes | No | No |

Monitoring and Alerts

| Permission | CLIENT | ADMIN | ANALYST | AML_OFFICER | TECH | BILLING | |---|---|---|---|---|---|---| | View monitoring dashboard | Yes | Yes | Yes | Yes | No | No | | Add addresses to monitoring | Yes | Yes | Yes | Yes | No | No | | Configure alert rules | No | Yes | No | Yes | No | No | | Acknowledge alerts | Yes | Yes | Yes | Yes | No | No | | Dismiss alerts | No | Yes | No | Yes | No | No |

Organization Settings

| Permission | CLIENT | ADMIN | ANALYST | AML_OFFICER | TECH | BILLING | |---|---|---|---|---|---|---| | View organization settings | No | Yes | No | No | No | No | | Edit organization settings | No | Yes | No | No | No | No | | Manage team members | No | Yes | No | No | No | No | | View audit logs | No | Yes | No | Yes | No | No | | Manage API keys | No | Yes | No | No | Yes | No | | Configure webhooks | No | Yes | No | No | Yes | No | | Manage billing/subscription | No | Yes | No | No | No | Yes | | View invoices | No | Yes | No | No | No | Yes |

Roles cannot be customized beyond the predefined permissions. If you need a custom permission set, contact support@blockchainanalysis.io to discuss enterprise RBAC options.

Inviting Team Members

Via Dashboard

Open Team Settings

Navigate to Settings > Team Management.

Click Invite Member

Click the Invite Member button in the top right corner.

Enter Member Details

Fill in the invitation form:

  • Email Address — The invitee's email address (must not already be registered)
  • Role — Select one of the six RBAC roles
  • Name (optional) — The invitee's display name

Send Invitation

Click Send Invite. The invitee receives an email with a link to accept the invitation and create their account.

Invitation Acceptance

The invitee clicks the link, sets their password, and optionally configures two-factor authentication. They are immediately added to the organization with the assigned role.

Via API

POST /api/v1/organization/invitations

{
  "email": "analyst@yourcompany.com",
  "role": "ANALYST",
  "name": "Jane Smith"
}

Invitation Lifecycle

| Status | Description | |---|---| | PENDING | Invitation sent, awaiting acceptance | | ACCEPTED | Invitee has created their account and joined the organization | | EXPIRED | Invitation expired (7 days) — resend if needed | | REVOKED | Invitation cancelled by an admin before acceptance |

Pending invitations can be resent or revoked from the Settings > Team Management > Pending Invitations tab.

Invitations expire after 7 days for security reasons. If an invitation expires, the admin can resend it with a single click — no need to re-enter the details.

Managing Seats

Included Seats

Every BlockchainAnalysis.io subscription includes 1 seat (the organization owner). Additional seats can be added for team members.

Additional Seat Pricing

| Item | Price | |---|---| | Additional seat | $49/month per seat | | Annual billing | $39/month per seat (20% discount) |

Seat Management

Seats are managed in Settings > Team Management > Seats:

  • Add seats — Purchase additional seats before inviting new members
  • Remove seats — Remove unused seats to reduce costs (prorated credit applied)
  • View usage — See how many seats are in use vs. available

Removing a team member does not automatically remove their seat. You must separately remove the seat in the billing settings to stop being charged. This allows you to reassign the seat to a different team member without losing access.

What Counts as a Seat

  • Each active user (accepted invitation, not deactivated) occupies one seat
  • Pending invitations do not count against seat limits
  • Deactivated users do not count against seat limits
  • The organization owner always occupies one seat (included free)

Changing Roles

Admins can change a team member's role at any time:

  1. Go to Settings > Team Management
  2. Find the team member in the list
  3. Click the role dropdown and select the new role
  4. Confirm the change

Role changes take effect immediately. The user's current session is updated without requiring them to log out and back in.

Changing a user's role from ANALYST to AML_OFFICER (or vice versa) does not affect their ownership of SAR cases. However, an ANALYST who is downgraded to CLIENT will lose access to SAR cases entirely — any cases assigned to them should be reassigned first.

Removing Team Members

To remove a team member from your organization:

  1. Go to Settings > Team Management
  2. Find the team member in the list
  3. Click Remove and confirm

When a team member is removed:

  • Their access is revoked immediately
  • Their active sessions are terminated
  • Their screening history and actions remain in the audit log (attributed to their name)
  • Any SAR cases assigned to them are flagged for reassignment
  • Monitoring alerts assigned to them are unassigned

Removing a team member is immediate and irreversible. If you want to temporarily disable access without losing their role assignment, use the Deactivate option instead.

Audit Logging

All actions taken by team members are recorded in the audit log. This provides a tamper-proof record of who did what, and when — essential for regulatory compliance and internal governance.

Logged Actions

The audit log captures:

| Action Category | Examples | |---|---| | Authentication | Login, logout, failed login attempt, 2FA verification | | Screening | Wallet screening initiated, name screening run, KYT check performed | | Investigation | Fund trace initiated, fund trace viewed, PDF report generated | | Customer Management | Customer created, status changed, KYC initiated, document uploaded | | SAR Filing | Case created, case submitted, case approved, case filed | | Monitoring | Address added to monitoring, alert acknowledged, alert dismissed | | Team Management | Member invited, role changed, member removed, member deactivated | | Settings | API key created/revoked, webhook configured, alert rules modified | | Billing | Subscription changed, seats added/removed, invoice downloaded |

Audit Log Access

  • ADMIN — Full access to all audit logs
  • AML_OFFICER — Access to compliance-related audit logs (screening, investigation, SAR, customer management)
  • All other roles — No direct audit log access

Audit Log Retention

Audit logs are retained for 7 years from the date of the event, exceeding the 5-year minimum required by most AML regulations. Logs cannot be modified or deleted by any user, including ADMINs.

Exporting Audit Logs

Export audit logs for external review or archival:

  • CSV export — Full audit log or filtered by date range, user, or action category
  • API access — Programmatic access via GET /api/v1/audit-logs
  • SIEM integration — Forward audit events to your SIEM system via webhook (configure in Settings > Integrations)

Security Recommendations

  1. Enforce two-factor authentication — Enable the organization-wide 2FA requirement in Settings > Security. All team members will be required to set up 2FA on their next login.

  2. Use the principle of least privilege — Assign the most restrictive role that allows each team member to perform their duties. Not everyone needs ADMIN access.

  3. Review access regularly — Conduct quarterly access reviews to ensure that team members still need the access they have, and that departed employees have been removed.

  4. Separate duties — Ensure that your SAR filing workflow involves at least two people (analyst + AML officer) to maintain the four-eyes principle. See SAR/STR Filing for details.

  5. Monitor the audit log — Regularly review the audit log for unusual activity — failed login attempts, screening of unusual addresses, or bulk data exports.

  6. Deactivate before removing — When a team member is leaving the organization, deactivate their account first (preserving their role for potential reactivation), then remove them after confirming all handover tasks are complete.

API Reference

List Team Members

GET /api/v1/organization/members

Invite Team Member

POST /api/v1/organization/invitations

Change Member Role

PATCH /api/v1/organization/members/{member_id}

{
  "role": "AML_OFFICER"
}

Remove Team Member

DELETE /api/v1/organization/members/{member_id}

List Audit Logs

GET /api/v1/audit-logs?from=2026-01-01&to=2026-03-31&user_id=usr_abc123&action=SCREENING

Get Seat Usage

GET /api/v1/organization/seats

For full API documentation, see the API Reference.

BlockchainAnalysis.io — Digital Asset Compliance Platform