> ## Documentation Index
> Fetch the complete documentation index at: https://docs.novacula.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Members and invitations

> Invite people into your organization, change their role, and control access

Open **Members** in the dashboard to see everyone who can access the organization. Each row shows a person, their **Org role**, when they joined, and their account status. Owners and admins manage access from here; members can view the roster.

## Roles

Novacula has three organization roles:

| Role       | What it can do                                                                                                                                                       |
| ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Member** | Read-only. View executors, nodes, metrics, logs, and their own audit activity (the full organization audit log is owner/admin only).                                 |
| **Admin**  | Everything a member can, plus deploy, update, and delete nodes; connect and remove executors; request upgrades; manage labels; invite members; manage other members. |
| **Owner**  | Full control, including assigning admins. Each person can own only one organization.                                                                                 |

Role changes take effect on the member's next request — they don't need to sign out and back in.

## Invite a member

On **Members**, select **Invite member**, then:

1. Enter the invitee's **Email**.
2. Choose a **Role**. Owners can invite an **Admin** or a **Member**; admins can invite a **Member** only. Owner can't be assigned by invitation.
3. Select **Send invitation**.

The invitee gets an email with an accept link. If they already have a Novacula account, accepting adds them to this organization; if not, the link lets them create an account first. Invitations expire — if one lapses before it's accepted, invite the person again.

## Manage pending invitations

Invitations that haven't been accepted appear under **Pending invitations** with a **Pending** or **Expired** status. From the row's actions menu (owners and admins):

* **Copy link** — copy the accept link to share directly.
* **Resend email** — send the invitation email again.
* **Cancel** — revoke the invitation so the link no longer works.

## Change a member's role

Open a member's row to go to their profile, then use the **Organization access** card to pick a new **Organization role** and select **Save access**.

* **Owners** can promote a member to admin and demote an admin to member.
* **Admins** can manage members, but can't promote anyone to admin or change another admin or the owner.
* **Members** can't change roles.

You can't change your own role here.

## Block or remove a member

On a member's profile, the **Account access** card lets you **Block member**. Blocking restricts the person's access to this organization — it signs out their active sessions immediately and prevents them from signing back in to it. You can record an optional reason. Owners can block any non-owner; admins can block members.

A blocked person still appears in the roster with a **Blocked** badge. To bring them back, select **Restore** on their row (or **Restore member** on their profile) — they rejoin with their previous role. Restoring does not recreate their old sessions.

Owners can also **Remove** a non-owner member from the profile header.

## What happens when a member loses access

* Their sessions for this organization end within seconds.
* API keys stay valid — they belong to the organization, not to the person who created them. Rotate any keys a departing member generated; see [API keys](/docs/executors/api-keys).
* Their entries in the audit log remain for the record.

## Audit

Every invitation, role change, block, restore, and removal is recorded in the [audit log](/docs/account/organization#audit-log) with the actor, the target, and a timestamp.
