pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-04-16 06:46:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a58bec4f69c2f4729aef8a5506b32fbb33ca83d2
docs-v2/manage/access-control/create-user.mdx
miloschwartz cf23a8e3da add site provisioning
2026-04-03 10:50:58 -04:00

48 lines
3.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "Users and Roles"
description: "Add internal or external users to your organization and manage roles"
---
import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
<PangolinCloudTocCta />
## Users in Organizations
Users can be added to organizations. When a user is added to Pangolin, there is a global user object and an organizationspecific user object that links that user to the organization. This allows a user to exist in one or more organizations.
<Tip>
Because the global user exists and a perorganization user exists, a user invited to an organization may be able to create a new organization. You can disable this functionality via a flag in the config file in selfhosted Pangolin. [Check out the config file documentation](/self-host/advanced/config-file#feature-flags).
</Tip>
When removing a user from an organization, their account still exists. To completely delete their account, visit the server admin panel as the server admin and delete the global user in the users table.
<Frame>
<img src="/images/users-table.png" centered/>
</Frame>
### Internal Users
An internal user is an identity managed by Pangolin only. When adding the user, you will receive an invite link. The user needs to use this link to either accept the invite, or create an account for the first time and accept the invite.
### External Users
An external user is an identity managed by an external identity provider. When creating an external user, you will need to select an existing identity provider added to Pangolin. [Check out the documentation on adding an IDP](/manage/identity-providers/add-an-idp).
An identity provider may have autoprovisioning enabled. This means new users who log in with the IDP are automatically created and you do not need to manually create the user. [Check out the autoprovisioning documentation](/manage/identity-providers/auto-provisioning).
Even if autoprovisioning is enabled, you can still manually create users.
## Roles
Roles are how you group users in an organization. A user can belong to more than one role, for example Member, Admin, Contractor, Operations, or any custom roles you define. You use roles with RBAC on resources so access follows those groups: only Operations might reach production resources, while only Contractors might reach test environments, and so on.
On each resource, you define which roles are allowed to access it. A users effective access is the union of all resources their roles can reach: they can use any resource that at least one of their assigned roles is permitted to access.
You can create as many custom roles as you need in Pangolin. Each role has a name and a description. The name is the display label and also acts as the unique identifier, so two roles cannot share the exact same name.
To change which roles a user has, open that users settings and select the roles they should belong to.
<Note>
Assigning more than one role to a user is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition). In other editions, only one role per user is supported.
</Note>
Reference in New Issue View Git Blame Copy Permalink