Availability: Managing groups and roles is available to private organizations. The controls appear under Settings → People for members whose role allows managing access (for example, an administrator).
How access works
Access is layered, from the organization down to individual projects:| Concept | What it is |
|---|---|
| Organization | The top-level tenant that contains your members, groups, projects, and resources. |
| Member | A person (or service account) in the organization. |
| Group | A collection of members, granted one or more roles. Members get their permissions through the groups they belong to. |
| Role | A predefined set of permissions. Roles are assigned to groups, not to individuals. |
| Project | A group can be scoped to specific projects, limiting where its access applies. See Projects. |
Roles are predefined. You assign existing roles to groups; you don’t create custom roles in the Console.
Roles
Nscale provides the following roles. Roles apply either across the whole organization or only within the projects a group is assigned to.| Role | Scope | What it allows |
|---|---|---|
| Administrator | Organization | Full control of the organization—manage members, groups, projects, and all resources. |
| Auditor | Organization | Read-only access to everything in the organization. |
| User | Organization and project | Read access at the organization level, plus the ability to create and manage resources in the projects the group is assigned to. |
| Reader | Project | Read-only access within the projects the group is assigned to. |
Who can manage groups and roles
Two rules decide whether you can create or edit a group. Both must be satisfied. 1. Being in a group doesn’t let you manage it. Membership gives you the group’s permissions; it does not give you control over the group. To create, edit, or change the members of a group you need a role that allows managing groups—typically Administrator. A User or Reader who belongs to a group still can’t add people to it. 2. You can only assign roles you already hold. To prevent anyone from granting access they don’t have themselves, you can only give a group a role whose permissions you fully hold. This is why the role picker only lists roles you’re allowed to assign—any role you couldn’t grant is hidden.Why a group might not be editable
Rule 2 also applies to a group’s existing roles. Saving any change to a group re-checks every role already on it, so: This can be surprising: you might belong to a group and have an administrator role, yet still be unable to add a member, because the group also carries a more specialised role (for example, a role for a specific service) that your roles don’t include. In the Console the group’s edit and Update Members actions are disabled in this case, with a note explaining why. Deleting still works. You can delete such a group (if your role allows deleting groups), because deleting only removes access—it never grants a role—so it isn’t subject to this rule. What to do: ask an organization administrator who holds the missing role to make the change, or have someone with the broader role added so the group’s full set of roles can be granted. If you manage roles centrally, make sure your Administrator role includes every permission used by the more specialised roles you expect administrators to assign.Manage members
Members are managed from Settings → People, in the Organization Members card. The table shows each member’s email, last active time, groups, and status:| Status | Meaning |
|---|---|
| Pending | The member has been invited but hasn’t joined yet |
| Active | The member has joined and can access the organization |
| Suspended | The member’s access is currently revoked |
Invite a member
Invite members
Click Invite Members, then enter one or more email addresses (separated by commas), and select the groups the new members should belong to.
Remove a member
In the Organization Members table, use the member’s actions menu to remove them, then confirm. Removing a member permanently revokes their access to the organization.Manage groups
Groups are managed from Settings → People, in the Organization Groups card. The table shows each group’s name, the projects it can access, its members, and its roles.Create a group
Create the group
Click Create Group, then set:
- Group Name — can only contain lowercase alphanumeric characters and dashes.
- Role — select one or more roles the group’s members will have.
- Add members — add the members who should belong to the group.
Edit or delete a group
Select a group to open its detail page:- Group Details — rename the group or change its roles.
- Group Members — use Add Members to add people to the group.
- Delete Group — permanently delete the group. You’ll be asked to type the group’s name to confirm.
Give a group access to projects
A group’s access is scoped to the projects it’s assigned to. You assign a group to a project from the project’s settings, not from the group itself. Once assigned, the group’s members gain that group’s project-scoped permissions within that project. See Projects for how to manage project membership.Next steps
- Manage groups from the command line with the CLI.
- Explore the Groups API and Roles API.
- Learn how projects organize resources and access.