Skip to main content

Managing Users

Crusoe Cloud supports role-based access control (RBAC) at both the organization and project level, enabling least-privilege access across your infrastructure.

Viewing users

To view all users in your organization:

  1. From the console, select the Organization dropdown in the top left corner and select Manage Organization.
  2. Select User Access > Team in the left nav.

Inviting new users

To invite new users to your organization via the console:

  1. From the console, select the Organization dropdown in the top left corner and select Manage Organization.
  2. Select User Access > Team in the left nav.
  3. Click Invite User.
  4. Enter the email address of the user you want to invite.
  5. If your organization has an active SSO provider, select whether this user will be required to use SSO.
  6. Assign an organization-level role if applicable, and one or more project-level roles.
  7. Click Invite.

When inviting new users, we recommend only assigning the specific project roles they need, rather than a broad organization-level role.

Changing user roles

To change a user's role in your organization via the console:

  1. From the console, select the Organization dropdown in the top left corner and select Manage Organization.
  2. Select User Access > Team in the left nav.
  3. Find the user you would like to change the role of and click Edit Roles.
  4. Assign an organization-level role if applicable, and one or more project-level roles.
  5. Click Update.

Removing users

To remove a user from your organization via the console:

  1. From the console, select the Organization dropdown in the top left corner and select Manage Organization.
  2. Select User Access > Team in the left nav.
  3. Find the user you would like to remove from your organization and select Delete User.
  4. Click Delete.

Understanding Roles

Resource Hierarchy

Crusoe resources are organized hierarchically: Organization > Project > Resources (VMs, disks, clusters, etc.). Roles can be assigned at either the organization level or the project level. Organization-level roles grant access across all projects; project-level roles grant access to a single project.

Available roles

Organization-level roles

RoleDescription
org-adminFull administrative access across all projects. Can manage users, billing, and all resources.
org-editorCreate, read, update, and delete resources across all projects.
org-readerRead-only access to resources across all projects.
No org roleBase membership role. No resource permissions by default. Cannot see all projects. Used in combination with project roles.

Project-level roles

RoleDescription
project-editorCreate, read, update, and delete resources within the assigned project.
project-readerRead-only access to resources within the assigned project.

How permissions work

If a user holds multiple roles, the highest permission level applies. For example, a user who is an org-reader and a project-editor on Project A can edit resources in Project A and view resources in all other projects.

All tokens inherit the permissions of the user who created them. If a user's role changes after token creation, the token's effective permissions update accordingly.

Propagation

Role changes typically take effect within seconds. In rare cases, cached permissions may take up to 5 minutes to fully propagate when revoking or downgrading access.