Teams and Access Control

Teams are the access layer for content operations in Medusa. A team groups users and content intakes together: each content intake has its own Farfalla API key (linked to a specific tenant), and a team can include multiple content intakes. All content imported by any member through any of the team's content intakes is visible and manageable by the entire team.

How teams work

Publica.la Admin (Nova)
    |
    └── Creates Team
            |
            ├── Creates Content Intakes (each with tenant domain + API key)
            |
            └── Invites Users (email with token link)
                    |
                    ├── User A uploads content ──► visible to all team members
                    ├── User B uploads content ──► visible to all team members
                    └── User C (different team) ──► cannot see any of the above

A team groups N users and M content intakes. Each content intake is linked to a single tenant via its API key. All operations (imports, file replacements, product browsing) are scoped to the team level.

User roles

Role	What they can do
Admin	Full access to all team features. Can invite new members via email. Manages team settings.
Team Member	Upload files, launch imports, replace content files, browse products and history. Cannot invite users.
Viewer	Read-only access. Can browse import history and products but cannot upload or modify anything.

Onboarding a new team

This is the setup flow a Publica.la admin follows in Nova:

1. Create the Team: Give it a name. The team is the central resource from which everything else is managed
2. Create Content Intakes from the Team: From the team's actions, create one or more content intakes. Set the type (import for spreadsheet uploads, onix for ONIX XML), assign the tenant domain, and provide the Farfalla v3 API key
3. Invite users from the Team: From the team's actions, add members by email. Each receives an invitation link with a one-time token
4. Users accept and log in: After accepting the invitation, users access the Content Import Panel at the Medusa dashboard URL

Content visibility rules

• All content imported by any team member is visible to every member of that team
• Any team member can edit or replace content uploaded by another member
• Users from different teams have no visibility into each other's content, even if both teams belong to the same tenant
• Publica.la admins can view all teams and their content via Nova, and can impersonate any user for debugging

Admin management (Nova)

Publica.la administrators manage the following resources in Medusa's Nova panel:

Resource	What admins do
Content Intakes	Create and configure intake sources. Each has a type, linked tenant, and API key. The S3 bucket is auto-provisioned from the intake slug.
Teams	Create teams, assign API keys, add or remove members, view team activity
Users	View user details, manage team assignments, impersonate users for support

Related documentation

• Content Import Panel: The dashboard where team members upload and manage content
• ONIX Intake Overview: Automated ONIX processing (uses the same Content Intake model but different type)
• Setting Up a New ONIX Intake: Step-by-step Nova setup for ONIX intakes