Managing users
User management
Crusoe Cloud supports role-based access control (RBAC) at both the organization and project level, enabling least-privilege access across your infrastructure.
Viewing users
- UI
In order to view all users in your organization
- Visit the Crusoe Cloud console
- Select the Organization dropdown in the top left corner of your screen and select "Manage Organization"
- Select the "User Access" tab in the left nav and select "Team"
- You will see a list of all users in your organization
Inviting new users
- UI
In order to invite new users to your Crusoe Cloud organization:
- Visit the Crusoe Cloud console
- Select the Organization dropdown in the top left corner of your screen and select "Manage Organization"
- Select the "User Access" tab in the left nav and select "Team"
- Select "Invite User"
- Enter the email address of the user you would like to invite
- If your organization has an active SSO provider, select whether this user will be required to use SSO
- Assign an organization-level role if applicable, and one or more project-level roles
- Select "Invite"
When inviting new users, we recommend only assigning the specific project roles they need, rather than a broad organization-level role.
Changing user roles
- UI
In order to change a user's role in your Crusoe Cloud organization:
- Visit the Crusoe Cloud console
- Select the Organization dropdown in the top left corner of your screen and select "Manage Organization"
- Select the "User Access" tab in the left nav and select "Team"
- Find the user you would like to change the role of and pick the "Edit Roles" option
- Assign an organization-level role if applicable, and one or more project-level roles
- Select "Update"
Removing users
- UI
In order to remove a user from your Crusoe Cloud organization:
- Visit the Crusoe Cloud console
- Select the Organization dropdown in the top left corner of your screen and select "Manage Organization"
- Select the "User Access" tab in the left nav and select "Team"
- Find the user you would like to remove from your organization and select "Delete User"
- Click "Delete" on the confirmation
Understanding Roles
Resource Hierarchy
Crusoe resources are organized hierarchically: Organization > Project > Resources (VMs, disks, clusters, etc.). Roles can be assigned at either the organization level or the project level. Organization-level roles grant access across all projects; project-level roles grant access to a single project.
Available roles
Organization-level roles
| Role | Description |
|---|---|
org-admin | Full administrative access across all projects. Can manage users, billing, and all resources. |
org-editor | Create, read, update, and delete resources across all projects. |
org-reader | Read-only access to resources across all projects. |
| No org role | Base membership role. No resource permissions by default. Cannot see all projects. Used in combination with project roles. |
Project-level roles
| Role | Description |
|---|---|
project-editor | Create, read, update, and delete resources within the assigned project. |
project-reader | Read-only access to resources within the assigned project. |
How permissions work
If a user holds multiple roles, the highest permission level applies. For example, a user who is an org-reader and a project-editor on Project A can edit resources in Project A and view resources in all other projects.
All tokens inherit the permissions of the user who created them. If a user's role changes after token creation, the token's effective permissions update accordingly.
Propagation
Role changes typically take effect within seconds. In rare cases, cached permissions may take up to 5 minutes to fully propagate when revoking or downgrading access.