April 12, 2026 | 5 min read
This article explains how to manage back-office users, roles, permissions, and security controls in Eventact. It is intended for Company Admins and Security Admins responsible for access governance.
To add a new Back-Office User (Manager), navigate to Settings → Security → Managers and click Add Manager.
Each Manager profile requires:
Tip: Select the Send login details by email checkbox to automatically deliver credentials to the new Manager immediately after saving.
Roles determine what a Manager can do, while Event/Module permissions determine where they can do it. Managers can hold multiple roles simultaneously.
| Role | Description |
|---|---|
| Company Admin | Full access to all company settings and all events. |
| Security Admin | Responsible for Manager lifecycle, unlocking accounts, and monitoring security alerts. |
| Director | Oversight role; receives daily summary emails from the Eventact Agent regarding company activity. |
| Projects Admin | Manages high-level event settings and configurations. |
| Operator | Day-to-day operational access (registrations, attendees). |
| Bookkeeper | Access restricted to financial data and accounting. |
Eventact is designed for organizers managing multiple customers simultaneously. The following controls ensure strict data isolation between events, in accordance with the Principle of Least Privilege.
A Manager's access can be limited to specific events and specific modules (e.g., Registration, Abstracts, Website, or Meetings). This ensures that staff or customers can access only the data necessary for their specific role, preventing unauthorized access to other projects.
Users who require data visibility but not management tools should use the dedicated external reporting app. This keeps customers and contractors entirely separate from the primary back-office environment.
Managers must verify their identity through a second factor after entering their password. Eventact supports Email, SMS, and Authenticator Apps.
While Email and SMS are available, they rely on external networks and can be delayed by roaming issues or weak signals in convention centers. Authenticator Apps (e.g., Google/Microsoft Authenticator or iPhone Passwords) are the recommended best practice because they:
Setup: Managers enable this via User Menu → My Account → Set up Authenticator App.
Security Admins receive automatic email notifications for suspicious activity. These include alerts for repeated login failures, allowing for immediate awareness of potential unauthorized access attempts.
Security Admins can review activity via Settings → Security → Login History. This log is synchronized to your company's timezone and tracks:
| Field | Details |
|---|---|
| Manager & Time | Exactly who logged in and when. |
| Technical Details | IP address, Country, and Device type (OS/Browser). |
| Result | The specific reason for any failure (e.g., wrong password, account locked). |
To prevent brute-force attacks, after repeated failed attempts from the same IP address, that address is temporarily blocked. Security Admins can manually unblock IPs.
For a live-event scenario where you need to act fast: Navigate to Settings → Security → Blocked IPs, find the address, and click Unblock.
The system automatically disables access for inactive Managers, reducing the risk of unauthorized access through abandoned accounts.
| Action | Who Can Perform It |
|---|---|
| Add/Edit Managers | Security Admin or Company Admin |
| Delete a Manager | Security Admin |
| Unlock a Locked Account | Security Admin or Company Admin |
| Unblock a Restricted IP | Security Admin |
| Review Login History | Security Admin or Company Admin |
| Receive Daily Agent Summaries | Director |
| Assign Event/Module Permissions | Company Admin |
Proper role assignment, authentication policies, and monitoring tools allow organizations to securely scale event operations while maintaining full auditability and data separation.