Organization roles
Each member of an organization holds exactly one role. To act in two organizations with different permissions, you need a separate membership in each.| Role | What they can do |
|---|---|
| Owner | Everything below, plus: assign the Admin role and remove any non-owner member. Each user can own only one organization. |
| Admin | Connect executors and deploy, configure, upgrade, and delete nodes. Manage API keys. Configure notifications and labels. Invite Members, change a member’s role to Member, and act on members (block, restore). |
| Member | Read-only access to everything in the organization: executors, nodes, metrics, logs, audit events, releases, labels, and notification settings. |
Who can manage whom
Member management lives on the Members page.- Owners can invite Members and Admins, change any non-owner’s role, and remove any non-owner member.
- Admins can invite Members and act on existing Members. They cannot grant the Admin role, change an Admin’s role, or remove a member — those are owner-only.
- No one can change or remove an Owner through the UI. A user can own only one organization at a time.
How access is enforced
- People sign in through the browser; your session carries your organization role.
- Executors authenticate with an organization-scoped API key (prefixed
exc_), created in the Connect an executor flow. An API key can only sync executor state — it can’t act as a person or read across organizations. - Tenant isolation. Every read and write is scoped to your active organization. A request for data outside it returns nothing rather than leaking another org’s rows.
Related
- Members and invitations — invite, change roles, block, and remove members.
- API keys — create and rotate the keys executors use.
- Organization — settings and switching the active org.