Managing organization users
Access to organizations is managed by granting users roles. The following roles exist: superuser, project-admin, billing-admin and member.
| Role: | superuser | project-admin | billing-admin | member |
|---|---|---|---|---|
View organization users |
✅ |
✅ |
✅ |
✅ |
Manage organization users |
✅ |
❌ |
❌ |
❌ |
Create projects |
✅ |
✅ |
❌ |
❌ |
View projects |
✅ |
❌ |
❌ |
❌ |
Manage project users |
✅ |
❌ |
❌ |
❌ |
Delete projects |
✅ |
❌ |
❌ |
❌ |
All other project/service operations |
❌ |
❌ |
❌ |
❌ |
View organization billing data |
❌ |
❌ |
✅ |
❌ |
Note that project operations can be accessed by granting project roles. An organization superuser has access to a subset of these permissions, including the ability to grant anyone (including themselves) roles on the project. When a user creates a project, they are automatically granted admin access to that project.
The purpose of the member role is to allow admins of the organization’s projects to add users directly to their projects without needing to invite them to the project.
Listing role bindings
You can list the role bindings in an organization by running kalix organization users list-bindings:
$ kalix organization users list-bindings --organization <organization name>
ROLE BINDING ID ROLE USERNAME EMAIL NAME
fd21044c-b973-4220-8f65-0f7d317bb23b superuser jane.citizen jane.citizen@example.com Jane Citizen
120b75b6-6b53-4ebb-b23b-2272be974966 member john.smith john.smith@example.com John SmithThis shows a list of all the role bindings in the organization.
Granting a role
There are two ways to grant a role to a user. The first is to invite them to join the organization using their email address.
To send an invitation, use the kalix organizations invitations create command:
kalix organizations invitations create --organization <organization name> \
--email <email address> --role <role>The user will then receive an email inviting them to join the organization. If they accept the invitation, a role binding will be created for them with the specified role.
If the user is already a member of the organization, and you want to grant them additional roles, you can add the roles directly without sending them an invite and requiring them to accept it. Do this by either passing their username or email address to the kalix organization users add-binding command.
To add a role to a user by email address:
kalix organization users add-binding --organization <organization name> \
--email <email address> --role <role>To add a role to a user by username:
kalix organizations users add-binding --organization <organization name> \
--username <username> --role <role>Deleting a role binding
A role binding can be deleted by referencing its role binding ID. The role binding ID can be obtained by listing organization users. Once you have the role binding ID, you can delete the role binding using kalix organizations users delete-binding:
kalix organizations users delete-binding --organization <organization name> \
--id <role binding id>Managing invitations
You can view a list of outstanding invitations by running kalix organizations invitations list:
$ kalix organizations invitations list --organization <organization name>
EMAIL ROLE
jane.citizen@example.com memberInvitations will automatically expire after 7 days. You can manually cancel an invitation by running kalix organizations invitations delete:
kalix organizations invitations cancel --organization <organization name>
--email <email address>If you wish to resend an invitation, this can be done by first cancelling the invitation, and then inviting the user again.