Skip to main content

Inviting users

1

Go to Settings → Team

You need the admin role to see this section.
2

Click Invite user

Enter email, select role, and optionally require 2FA at first sign-in.
3

Send

User receives an email with a one-time invite link (7-day expiry). They set a password, enable 2FA, and land in the onboarding wizard.
You can bulk-invite from a CSV: Settings → Team → Bulk invite. Columns: email,first_name,last_name,role.

Assigning roles

RoleCan doCannot do
userUpload, review, appeal, track — for claims in their assigned queueSee other users’ queues without assignment; change practice settings
analystView dashboards and run reports on aggregated dataView individual PHI-bearing records
supportRead-only access to assigned customer orgModify any data; export PHI
adminEverything user can do, plus team management, settings, audit logsDelete the practice
Billing adminPlus billing/subscription management
To change a role: Settings → Team → [user] → Edit role. The change is audit-logged.

Managing access

Click Suspend. User can’t sign in; their historical actions remain audit-logged. Useful during investigations.
If a user loses their 2FA device, an admin can force a reset. The user must re-enroll on next sign-in. This is audit-logged.
Settings → Team → [user] → End all sessions kills every active session for that user. Use after suspicion of compromise.
Assign which denial queues (by payer, by provider, by denial type) each user sees by default.

Offboarding

Offboarding a user the wrong way leaves PHI access around longer than HIPAA allows. Follow the checklist below.
1

Reassign work

Move their open denials, appeals, and follow-ups to another teammate.
2

Revoke access

Settings → Team → [user] → Remove. Active sessions terminated immediately; account marked deleted.
3

Audit trail retained

Their historical actions remain attributed in the audit log per HIPAA retention requirements (7 years), but the account itself is disabled.
4

Confirmation

Denialbase emails you a confirmation that all access has been revoked. Keep this for your HIPAA records.

SSO and SCIM

  • SAML 2.0 SSO — supported for Okta, Azure AD, Google Workspace, any SAML IdP. See SSO / SAML.
  • SCIM provisioning — planned for Q3 2026. Until then, use bulk invite + CSV for large teams.

Delegated signing (for appeals)

Practice admins can grant specific staff the authority to sign appeals on behalf of a provider:
  • Settings → Team → Signing delegations → Add
  • Specify the delegator (provider), the delegate (staff member), and the time-scope.
  • Every delegated signature is audit-logged with both identities.
See Filing appeals for the appeal-signing flow.