Team Management & IAM
Overview
Team Management lets you share access to your account with colleagues while maintaining full control over what each person can see and do. Invite team members by email, assign roles with granular permissions, and optionally fine-tune access per project.
Key capabilities:
- Email invitations -- Invite team members with secure signed links that expire after 72 hours.
- Built-in roles -- Three predefined roles covering common access patterns: Admin, Operator, and Viewer.
- Custom roles -- Create roles with any combination of View, Manage, and Delete permissions across 15 service groups.
- Project-level overrides -- Fine-tune a member's permissions within specific projects without changing their overall role.
- API token scoping -- Team members' API tokens inherit their role permissions automatically.
Inviting Team Members
- Navigate to Organization > Team Members in the sidebar.
- Click Invite Member.
- Enter the team member's email address and select a role.
- Click Invite.
The invitee receives an email with a link to set their name and password. Once accepted, they can log in at the same URL as the account owner.
Managing Members
From the Team Members page you can:
- Edit Role -- Change a member's assigned role at any time.
- Resend Invite -- Resend the invitation email for members who haven't accepted yet.
- Remove -- Remove a member from your account. They lose all access immediately.
Built-In Roles
Viewer (Read-Only)
Can view all resources, metrics, configurations, and billing information. Cannot create, modify, or delete anything. Does not have access to Team Management or API Tokens.
Operator (View + Manage)
Full operational control -- can create instances, configure load balancers, manage security groups, set up monitoring alerts, and perform all day-to-day tasks. Cannot delete any resources, protecting against accidental destruction. Cannot manage billing, team members, or API tokens.
Admin (Full Access)
Complete control over the account including all resource operations, team member management, role creation, and API token management. The only restriction: Admins cannot remove the account owner.
Custom Roles
For access patterns not covered by built-in roles, create custom roles with any combination of permissions.
- Navigate to Organization > Roles.
- Click Create Role.
- Enter a name and optional description.
- For each service group, toggle the permissions you want to grant:
- View -- Read-only access
- Manage -- Create and modify resources
- Delete -- Destroy resources
- Click Create Role.
Permission Groups
| Group | View | Manage | Delete |
|---|---|---|---|
| Compute -- Instances | View instances, metrics, SSH, console | Create, power control, resize, reinstall, networking | Destroy instances |
| Networking -- VPCs | View VPCs, subnets, NAT/VPN gateways | Create and modify all networking resources | Delete VPCs and sub-resources |
| Networking -- Load Balancers | View LBs, configs, metrics | Create and modify LBs, SSL, health checks | Delete load balancers |
| Networking -- Security Groups | View groups, rules, IP sets | Create and modify rules, IP sets | Delete groups and rules |
| Databases | View databases, configs, backups | Create, modify, restart, manage replicas/backups | Delete databases and backups |
| Object Storage | View buckets and access keys | Create and modify buckets/keys | Delete buckets |
| Images & ISOs | View custom images | Create images from instances | Delete images |
| Static IPs | View allocations | Allocate and assign IPs | Deallocate IPs |
| Autoscaling | View groups and policies | Create and modify scaling rules | Delete groups |
| Billing | View credits, usage, invoices | Manage billing settings | -- |
| SSH Keys | View keys | Create and edit keys | Delete keys |
| User Scripts | View scripts | Create and edit scripts | Delete scripts |
| Projects | View projects | Create, edit, assign resources | Delete projects |
| Monitoring & Alerts | View dashboard, alerts, history | Create/edit alert rules and channels | -- |
| Team Management | View members and roles | Invite/remove members, manage roles | -- |
| API Tokens | -- | Create and revoke tokens | -- |
Project-Level Overrides
You can override a member's role permissions for specific projects. This is useful when a team member needs different access levels across environments.
Example: A Developer role member might have Operator access on the "Development" project but Viewer-only on "Production".
To set an override:
- Open the project detail page.
- Go to the Members tab.
- Click Override Permissions next to a team member.
- Toggle the permissions for this project.
- Click Save Override.
Remove the override at any time to revert to the member's role-based permissions.
How Permissions Are Enforced
- Server-side enforcement -- Every API endpoint checks the acting user's permissions before executing. Hidden UI elements are backed by middleware checks.
- Resource scoping -- Team members see the account owner's resources, not their own. All resources belong to the account.
- Audit trail -- Task logs record which user initiated each action, even when that user is a team member.
- API tokens -- Tokens created by team members inherit the member's role permissions. A Viewer's API token can only perform read operations.