Managing Users
Crusoe Cloud supports role-based access control (RBAC) at both the organization and project level, enabling least-privilege access across your infrastructure.
Viewing users
- UI
Inviting new users
- UI
To invite new users to your organization via the console:
- From the console, select the Organization dropdown in the top left corner and select Manage Organization.
- Select User Access > Team in the left nav.
- Click Invite User.
- Enter the email address of the user you want to invite.
- If your organization has an active SSO provider, select whether this user will be required to use SSO.
- Assign an organization-level role if applicable, and one or more project-level roles.
- Click Invite.
When inviting new users, we recommend only assigning the specific project roles they need, rather than a broad organization-level role.
Changing user roles
- UI
To change a user's role in your organization via the console:
- From the console, select the Organization dropdown in the top left corner and select Manage Organization.
- Select User Access > Team in the left nav.
- Find the user you would like to change the role of and click Edit Roles.
- Assign an organization-level role if applicable, and one or more project-level roles.
- Click Update.
Removing users
- UI
To remove a user from your organization via the console:
Understanding Roles
Resource Hierarchy
Crusoe resources are organized hierarchically: Organization > Project > Resources (VMs, disks, clusters, etc.). Roles can be assigned at either the organization level or the project level. Organization-level roles grant access across all projects; project-level roles grant access to a single project.
Available roles
Organization-level roles
| Role | Description |
|---|---|
org-admin | Full administrative access across all projects. Can manage users, billing, and all resources. |
org-editor | Create, read, update, and delete resources across all projects. |
org-reader | Read-only access to resources across all projects. |
| No org role | Base membership role. No resource permissions by default. Cannot see all projects. Used in combination with project roles. |
Project-level roles
| Role | Description |
|---|---|
project-editor | Create, read, update, and delete resources within the assigned project. |
project-reader | Read-only access to resources within the assigned project. |
How permissions work
If a user holds multiple roles, the highest permission level applies. For example, a user who is an org-reader and a project-editor on Project A can edit resources in Project A and view resources in all other projects.
All tokens inherit the permissions of the user who created them. If a user's role changes after token creation, the token's effective permissions update accordingly.
Propagation
Role changes typically take effect within seconds. In rare cases, cached permissions may take up to 5 minutes to fully propagate when revoking or downgrading access.