Managing organization users

Access to organizations is managed by granting users roles. The following roles exist: superuser, project-admin, billing-admin and member.

Role: superuser project-admin billing-admin member

View organization users

Manage organization users

Create projects

View projects

Manage project users

Delete projects

All other project/service operations

View organization billing data

Note that project operations can be accessed by granting project roles. An organization superuser has access to a subset of these permissions, including the ability to grant anyone (including themselves) roles on the project. When a user creates a project, they are automatically granted admin access to that project.

The purpose of the member role is to allow admins of the organization’s projects to add users directly to their projects without needing to invite them to the project.

Listing role bindings

You can list the role bindings in an organization by running kalix organization users list-bindings:

$ kalix organization users list-bindings --organization <organization name>
ROLE BINDING ID                        ROLE        USERNAME       EMAIL                      NAME
fd21044c-b973-4220-8f65-0f7d317bb23b   superuser   jane.citizen   Jane Citizen
120b75b6-6b53-4ebb-b23b-2272be974966   member      john.smith     John Smith

This shows a list of all the role bindings in the organization.

Granting a role

There are two ways to grant a role to a user. The first is to invite them to join the organization using their email address.

To send an invitation, use the kalix organizations invitations create command:

kalix organizations invitations create --organization <organization name> \
  --email <email address> --role <role>

The user will then receive an email inviting them to join the organization. If they accept the invitation, a role binding will be created for them with the specified role.

If the user is already a member of the organization, and you want to grant them additional roles, you can add the roles directly without sending them an invite and requiring them to accept it. Do this by either passing their username or email address to the kalix organization users add-binding command.

To add a role to a user by email address:

kalix organization users add-binding --organization <organization name> \
  --email <email address> --role <role>

To add a role to a user by username:

kalix organizations users add-binding --organization <organization name> \
  --username <username> --role <role>

Deleting a role binding

A role binding can be deleted by referencing its role binding ID. The role binding ID can be obtained by listing organization users. Once you have the role binding ID, you can delete the role binding using kalix organizations users delete-binding:

kalix organizations users delete-binding --organization <organization name> \
  --id <role binding id>

Managing invitations

You can view a list of outstanding invitations by running kalix organizations invitations list:

$ kalix organizations invitations list --organization <organization name>
EMAIL                      ROLE   member

Invitations will automatically expire after 7 days. You can manually cancel an invitation by running kalix organizations invitations delete:

kalix organizations invitations cancel --organization <organization name>
  --email <email address>

If you wish to resend an invitation, this can be done by first cancelling the invitation, and then inviting the user again.