# User (single)

A user is owned by exactly one client. The `client` relationship is
about ownership only and does not grant the user any access — read
access to specific reporting entities is set via
`readAccessToReportingEntities` and surfaced in MyAleta.

## Endpoints

GET /v2/users/:id
  Fetch one user.

PATCH /v2/users/:id
  Update mutable attributes (`firstName`, `lastName`, `contactEmail`)
  and the `readAccessToReportingEntities` relationship.

DELETE /v2/users/:id
  Delete the user account.

GET /v2/users/:id/invites
POST /v2/users/:id/invites
  Manage invite links — see `aleta api --spec /v2/users/:id/invites`.

POST /v2/users/:id/invites/:inviteId/cancellation
  Cancel an outstanding invite.

## Path params

  id (required) — User identifier (UUID, not Mongo ObjectID).

## Attributes (`type: user`)

  firstName    (string) — First name.
  lastName     (string) — Last name.
  contactEmail (string) — Contact email address.

## Relationships

  client                          (required) — Client that owns the user.
  readAccessToReportingEntities   (optional) — Reporting entities the user can view.