## Recommended model

Use one organization per operational entity with clear separation between technical, fiscal, and support responsibilities.

## Step-by-step

<Steps>
  <Step title="1) Create baseline structure">Define organization, owner, and operating context (`test` first, then `live`).</Step>
  <Step title="2) Configure team">Invite members by role and enforce least-privilege access.</Step>
  <Step title="3) Validate critical access">Confirm who can perform sensitive actions (billing, fiscal, webhooks, team management).</Step>
</Steps>

## Minimum permission matrix

| Role | Recommended access |
| --- | --- |
| Owner | full management and critical approvals |
| Admin | daily operation, fiscal/billing work, and operational investigation without ownership transfer |

Functional teams such as finance or support should be mapped to the real `Owner` or `Admin` memberships based on actual operational need.

## Security checklist

1. Review active members and remove obsolete access.
2. Enforce 2FA for profiles with critical privileges.
3. Log role changes with auditable justification.

<Tip title="Good practice">Schedule monthly access reviews to keep segregation of duties consistent.</Tip>
