# User onboarding
Source: https://docs.settlemint.com/docs/operators/user-management/user-onboarding
Understand how invited users, admin-created users, administrators, and investors complete DALP onboarding.
DALP onboarding connects a platform account to the wallet, ONCHAINID, organization, and verification state the user needs for regulated asset activity. The path depends on how the account was created and whether the user only holds assets or also administers the platform.
## Choose the right onboarding path [#choose-the-right-onboarding-path]
| User type | How the account starts | What the user completes | Best next page |
| ------------------------ | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
| Invited user | An administrator sends an invitation. | Password setup, invitation acceptance, wallet setup, ONCHAINID creation, and profile or KYC details. | [Invite users](/docs/operators/user-management/invite-users) |
| Admin-created user | An administrator creates the account directly. | Password reset before first login. The account already has an automatically generated wallet and on-chain identity. | [Create users](/docs/operators/user-management/create-users) |
| First administrator | The first operator starts a new platform instance. | Wallet, identity, system deployment, asset factories, and add-ons when needed. | [First administrator setup](/docs/operators/platform-setup/first-admin-setup) |
| Investor or asset holder | The user joins without system access-control roles. | Identity progress, profile details, and KYC checks required by the operating model. | [Verify KYC](/docs/operators/compliance/verify-kyc) |
The first administrator follows the platform setup flow because that user can deploy the system and configure asset
factories before other users join.
## Invited user onboarding [#invited-user-onboarding]
Invited users control their own password, wallet, ONCHAINID creation, and profile or KYC details. Wallet verification and recovery-code checks can happen later when the user starts a protected wallet action.
### Receive the invitation [#receive-the-invitation]
The user receives an invitation by email or direct sharing. The invitation identifies the organization the user is joining.
### Create the account [#create-the-account]
The user opens the invitation link, enters the invited email address, and chooses a password.
### Accept the organization invitation [#accept-the-organization-invitation]
The user reviews the organization and accepts the invitation before continuing.
### Create the wallet [#create-the-wallet]
The platform creates a blockchain wallet for the user and shows the wallet address.
### Create the ONCHAINID [#create-the-onchainid]
DALP creates or attaches the ONCHAINID during the invitation workflow and links the identity contract to the user's wallet so trusted issuers can add verifications.
### Complete profile or KYC details [#complete-profile-or-kyc-details]
The user can add profile and KYC details during onboarding or complete them later, depending on the operating model.
## Admin-created user onboarding [#admin-created-user-onboarding]
Admin-created users do not go through the invitation wizard. The administrator creates the user account, wallet, and on-chain identity before the user logs in.
### Reset the initial password [#reset-the-initial-password]
The user opens the platform login page and uses **Forgot password** for the email address the administrator created. The reset email lets the user choose a password before first login.
### Review account security [#review-account-security]
After login, the user should review account security settings and store any recovery information provided by the operator. Admin-created accounts are useful for demos, testing, and passive holders because the wallet and identity already exist.
Direct user creation is faster, but the administrator initiates wallet and identity setup. Use invitations when the
user should control the setup process from the start.
## Post-onboarding access [#post-onboarding-access]
DALP routes users after onboarding based on platform permissions and identity status.
### Administrative users [#administrative-users]
Users with platform roles see the administration dashboard and the pages their roles allow. If the user's identity is registered and the wallet holds assets, the home page can also show portfolio context before the administration tiles.
Grant administrative roles only when the user operates the platform, manages participants, configures compliance, deploys assets, or performs another privileged task.
Administrative users usually need these checks before work starts:
* The user joined the organization.
* The wallet and identity exist.
* The operator assigned the required platform role.
* The user can access the administration page needed for the task.
See [Add administrators](/docs/operators/platform-setup/add-admins) for role assignment.
### Investors and asset holders [#investors-and-asset-holders]
Investors use the investor-facing portal without platform administrator roles. Invite or create the user as a member. Leave the account without system access-control roles unless the same person also operates the platform.
DALP shows the investor experience when an account has no administrator role. The home page shows identity progress until identity registration finishes. After registration, the home page shows portfolio cards, allocation charts, performance charts, and next steps.
Investors usually need these checks before receiving restricted assets:
* The user joined the organization.
* The wallet and identity exist.
* The profile and verification steps required by the operating model are complete.
* The trusted-issuer claims required by the asset rules exist on the identity.
See [Verify KYC](/docs/operators/compliance/verify-kyc) for verification.
## Wallet binding after onboarding [#wallet-binding-after-onboarding]
After onboarding, the wallet address is bound to the on-chain identity used for regulated asset activity. The identity registry records the wallet-to-identity relationship. Restricted asset flows rely on that registered identity and its trusted-issuer claims before allowing the holder to receive or move assets.
A user cannot replace the registered wallet address through a normal profile edit. If a wallet is lost or compromised, an Identity manager uses the identity recovery workflow. Recovery previews the selected user, wallet, current identity status, and token balances for the wallet being reviewed.
Execution creates a replacement wallet path, links the replacement identity path, and marks registered lost wallets through the recovery flow. The workflow also resets active sessions and wallet verification methods. When a personal EOA has a paired smart wallet, execution can recover balances from both wallets. Review the user's EOA and personal smart-wallet holdings before approval.
Recovery does not migrate KYC, accreditation, sanctions, AML, or other trusted-issuer claims from the old identity. If
your operating model requires dual approval, a cooling-off period, or sanctions and AML screening before a wallet
change takes effect, enforce those controls in your internal approval and compliance-provider workflow before issuing
fresh claims on the recovered identity.
Use [Recover a user's identity](/docs/operators/user-management/recover-user-identity) when wallet access cannot be restored. Use [Verify KYC](/docs/operators/compliance/verify-kyc) to issue the claims that let the recovered identity resume regulated activity.
## Troubleshooting [#troubleshooting]
| Issue | What to check |
| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| The invitation is invalid or expired. | Ask an administrator to send a fresh invitation and confirm the email address matches the account used to sign up. |
| The email address already exists. | Check whether the user already has an account or previous invitation. Use password reset when the account exists. |
| The user cannot create an ONCHAINID. | Confirm wallet setup is complete, system contracts are deployed, and the network has enough gas for the transaction. |
| The user has not set wallet verification. | Ask the user to open account security or retry the protected wallet action. DALP can prompt for wallet verification and recovery-code setup when signing is required. |
| The investor cannot receive a restricted asset. | Confirm the identity is registered and has the trusted-issuer claims required by the asset rules. |
## Related guides [#related-guides]
* [Invite users](/docs/operators/user-management/invite-users) for invitation-based onboarding.
* [Create users](/docs/operators/user-management/create-users) for direct account creation.
* [Register user](/docs/operators/user-management/register-user) for identity registry registration after onboarding.
* [Provide KYC data](/docs/operators/user-management/provide-kyc-data) for profile and KYC information.
* [Recover a user's identity](/docs/operators/user-management/recover-user-identity) for lost or compromised wallet access.
* [First administrator setup](/docs/operators/platform-setup/first-admin-setup) for platform initialization.
* [Add administrators](/docs/operators/platform-setup/add-admins) for role assignment.