Manage organization members
How to manage your organization members.
As an organization administrator, you can invite or remove users from the organization.
Organization API Roles
Each organization member has an API role that defines their permissions within the organization. The following roles are available:
- Viewer – Read-only member. Can view the organization and its members, cloud accounts, environments, clusters and node pools, Kubernetes versions, scheduled upgrades, observability dashboards (tenants, alerts, alertmanager configs, silences, tokens), cloud integrations/add-ons, compute information, update channels, cloud providers including regions, zones and node types, organization and cluster audit events, validation status, accepted agreements and billing invoices/charges.
- Developer – Everything a viewer can do plus day-to-day platform changes: create/update clusters and node pools, request cluster upgrades, create/delete environments, customize environment Alertmanager configs and manage observability assets (Grafana integrations, access tokens, tenant Alertmanager configs).
- Admin – Full control. Includes all viewer/developer permissions plus: update organization settings, use vouchers, invite/remove members, manage environment memberships, delete clusters, get bring-your-own-node pool join configuration, move a cluster to a different environment, manage cloud accounts/credentials and cloud profiles, configure organization integrations, schedule maintenance windows, view and query Kubernetes audit logs, delete the organization, and perform all billing actions (setup intents, payment methods, invoices, charges).
Organization Kubernetes Cluster Roles
In addition to an API role does each member have a default Kubernetes ClusterRole. This role is mapped to a default Kubernetes ClusterRole.
| Role | Kubernetes ClusterRole | Description |
|---|---|---|
| Cluster Admin | cluster-admin | Full control over all resources in the cluster |
| Edit | edit | Read/write access to most objects. Cannot view or modify roles or role bindings. Allows access to Secrets and running Pods as any ServiceAccount in the namespace, which can be used to assume those ServiceAccounts’ permissions. |
| View | view | Read-only access to most objects. Cannot view roles, role bindings, or Secrets. |
| None | - | No default role binding provided by AME. Custom (Cluster)RoleBindings can be created as needed. |
For more details, see the Kubernetes documentation on default ClusterRoles.
Invite a user to an organization
If you are an owner or administrator of an organization, you can invite other users to join the organization.
To invite a user to an organization, follow these steps:
- Log in to the Console and select the organization you want to invite a user to.
- Click Access Management in the left navigation menu and navigate to the Members tab.
- Enter the email address of the user you want to invite.
- Select the API role for the user. Refer to API roles.
- Select the Kubernetes cluster-role for the user. The user will have this cluster-role on all the clusters within the organization. Refer to Kubernetes roles.
- Click Add.
After you invite a user, they will receive an email with instructions. If the invited user is already registered, the organization will appear immediately in their list. If the invited user is not registered, they must sign up first. After registration, the organization will appear in their list.
Delete an organization member
Go to the Access Management section in the left navigation menu and select the Members tab. You will see the list of members. To remove a user, click Remove next to their name.
Join an organization
Organization administrators can invite users to join. Invited users will receive an email with instructions. The steps differ depending on whether the user is already registered. If you did not receive the invitation email, ask the administrator to resend it.
Last updated on