diff --git a/Crewing-Data-Model.md b/Crewing-Data-Model.md
index 1aa1fe7..38fb076 100644
--- a/Crewing-Data-Model.md
+++ b/Crewing-Data-Model.md
@@ -94,6 +94,15 @@ Ranks carry a `category` (e.g. `OPERATIONAL` vs `SUPPORT`) and an
 `isSeafarer` flag (drives which document set applies). `Driver` additionally
 requires a driving licence (`RankDocRequirement`).
 
+> **Login boundary — the rank tree is an org chart, not a login hierarchy.** Only
+> **PM**, **Assistant PM** and **Site In-charge** map to a portal login (the
+> `SITE_STAFF` role). **Every other rank** in this tree (Dredger in-charge →
+> … → Mess Boy, plus support staff) is a **crew member / data subject with no
+> login** — site staff record their leave, attendance, PPE and documents *on their
+> behalf*. A `Rank` therefore has a flag such as `grantsLogin` (true only for the
+> three management ranks); a `CrewMember` becomes a `User` only when its rank
+> grants a login.
+
 ## 3. Entity-relationship diagram
 
 ```mermaid
diff --git a/Crewing-Design-Document.md b/Crewing-Design-Document.md
index 5c2e8da..f87d16d 100644
--- a/Crewing-Design-Document.md
+++ b/Crewing-Design-Document.md
@@ -33,16 +33,19 @@ we don't issue).
 
 | Actor | Real-world role | Maps to PPMS role |
 |---|---|---|
-| **Site staff** | PM / Assistant PM / Site In-charge on the dredger | new `SITE_STAFF` role (proposed) |
+| **Site staff** | **PM / Assistant PM / Site In-charge** on the dredger — **the only on-site logins** | new `SITE_STAFF` role (proposed) |
 | **MPO** | Manning / Personnel Officer in the office | existing `MANNING` role |
 | **Accounts** | Finance team | existing `ACCOUNTS` role |
 | **Manager** | Department / crewing manager | existing `MANAGER` role |
 | **Candidate** | External applicant (ex-hand or new) | unauthenticated public form |
-| **Crew member** | Onboarded employee | data subject; not necessarily a portal login in v1 |
+| **Crew member** | Onboarded employee — **every on-vessel rank below Site In-charge** | data subject; **no portal login** in v1 (managed by site staff) |
 | Admin / Superuser / Auditor | as in PO module | existing roles |
 
 See the on-vessel **rank hierarchy** (PM → … → Mess Boy) in
-[Data Model § Rank](Crewing-Data-Model#rank-the-org-hierarchy).
+[Data Model § Rank](Crewing-Data-Model#rank-the-org-hierarchy). That hierarchy is
+an **org chart, not a login hierarchy**: only the top three ranks (PM, Assistant
+PM, Site In-charge) hold a `SITE_STAFF` login; everyone below is a crew member
+without an account.
 
 ## 3. Domain narrative
 
@@ -151,8 +154,11 @@ Manager**, and **sent to Accounts** for disbursement.
 
 1. PM/APM/Site In-charge get a dedicated `SITE_STAFF` role rather than reusing
    `TECHNICAL`. (Confirm in review — see Open Questions.)
-2. Crew members are **data subjects**, not portal logins, in v1. A future phase
-   may give crew a self-service login.
+2. **Only PM / Assistant PM / Site In-charge hold a site login** (the single
+   `SITE_STAFF` role). All other on-vessel ranks are **crew members / data
+   subjects with no login** — site staff enter and generate everything (leave,
+   attendance, PPE, documents, wage slips) *for them*. A future phase may give
+   crew a self-service login.
 3. **EPFO** UAN/Aadhaar verification is a manual/assisted step in v1 (record the
    result); a programmatic check can follow the GstService precedent.
 4. "Victualing" is a per-day messing allowance, configurable per rank/vessel.
@@ -166,7 +172,7 @@ Manager**, and **sent to Accounts** for disbursement.
 | # | Question |
 |---|---|
 | Q1 | New role `SITE_STAFF`, or extend `TECHNICAL`/`MANNING`? |
-| A1 | New role `SITE_STAFF_*` for the site heirarchy, MPO is "MANNING" |
+| A1 | A single new `SITE_STAFF` role, held **only by PM / APM / Site In-charge** (the only on-site logins); the rest of the rank hierarchy are crew members with no login. MPO is `MANNING`. |
 | Q2 | Does the candidate self-apply form live inside the portal (public route) or on the marketing site posting to an API? |
 | A2 | Lives at the static site pelagiamarine.com |
 | Q3 | EPFO verification — assisted-manual now, or build an EPFO proxy microservice like GstService? |
diff --git a/Crewing-Roles-and-Permissions.md b/Crewing-Roles-and-Permissions.md
index 4c183eb..1624f0a 100644
--- a/Crewing-Roles-and-Permissions.md
+++ b/Crewing-Roles-and-Permissions.md
@@ -9,7 +9,7 @@ relevant state machine adds the status+role gate on top.
 
 | Crewing actor | PPMS role | Notes |
 |---|---|---|
-| PM / APM / Site In-charge | **`SITE_STAFF`** (new, proposed) | apply-only leave **(on behalf of crew)**, attendance, PPE issue, doc upload, view-only contract (except salary) & bank |
+| PM / APM / Site In-charge **(the only on-site logins)** | **`SITE_STAFF`** (new, proposed) | apply-only leave **(on behalf of crew)**, attendance, PPE issue, doc upload, view-only contract (except salary) & bank |
 | MPO | **`MANNING`** (existing — "crew-management staff") | recruitment + verifies all site data except bank/EPF; **no attendance access** |
 | Accounts | **`ACCOUNTS`** | verifies bank + EPF; consumes wage report |
 | Manager | **`MANAGER`** | approves salary structures, candidate list, appraisals, wage reports; **reviews attendance** |
@@ -22,6 +22,14 @@ relevant state machine adds the status+role gate on top.
 > `TECHNICAL` could host site staff, but its PO semantics ("deck/engine crew")
 > differ from PM/APM managerial duties — hence the new role.
 
+> **Only PM, Assistant PM and Site In-charge get a login** (a single `SITE_STAFF`
+> role). **No other on-vessel rank** — Dredger in-charge, dredge/engine operators,
+> deck hands, support staff, down to Mess Boy — has a portal account; they are
+> crew members / data subjects whose leave, attendance, PPE and documents are
+> entered *for them* by site staff. The on-vessel rank tree in
+> [Data Model § Rank](Crewing-Data-Model#rank-the-org-hierarchy) is an **org
+> chart, not a list of users**.
+
 ## 2. Permission → role matrix
 
 ✓ = granted. (`SITE` = SITE_STAFF, `MAN` = MANNING/MPO, `ACC` = ACCOUNTS,
diff --git a/Crewing-Use-Cases.md b/Crewing-Use-Cases.md
index e5b0ef2..4d2fdaf 100644
--- a/Crewing-Use-Cases.md
+++ b/Crewing-Use-Cases.md
@@ -64,6 +64,10 @@ flowchart LR
   ADM --- U25
 ```
 
+> **Site staff = PM / APM / Site In-charge only** — the sole on-site logins. Every
+> other on-vessel rank is a crew member / data subject with **no account**; site
+> staff act on their behalf. Crew members are not actors here.
+
 ## 2. Use-case catalogue
 
 | ID | Use case | Primary actor | Pre-condition | Main success outcome |