# How to Use SingleStore Helios RBAC

The following sections outline the steps for using RBAC at the organization and Workspace group levels.

To configure RBAC:

1. On the [Cloud Portal](https://portal.singlestore.com), navigate to **Workspaces**.

2. Select the three dots under the **Actions** column for your workspace, and then select **Access & Security** from the list.

3. On the **Access** tab, configure RBAC in the **User Management** section.

## Organization Level

SingleStore offers different organizational level access for users in the Shared, Standard, and Enterprise editions.

## For Users in Shared Edition

**Invite New Users**

1. Navigate to the **Users & Teams** option from the Organization menu at the top.

2. Select **Add Member**.

3. Enter the new user's email address and then select the default team that this member should be invited to. 

4. By default, every user invited to the organization is added to the **Organization Owners** team and assigned the **Owner** role.

5. To change or add roles for each user, navigate to **Teams**, then select the team the user needs to be part of in the organization.

6. Select **Edit Team**, select the user from the list, and then select **Update Team**.

**Create a New Team**

1. Navigate to the **Users & Teams** option from the Organization menu at the top.

2. Switch to the **Teams** tab.

3. Select **Create New Team**.

4. Add the details for **Team Name** and **Team Description**.

5. Select default members in the team.

6. Select **Create Team** to complete the creation.

**Update the Members of Existing Teams**

1. Navigate to the **Users & Teams** option from the Organization menu at the top.

2. Switch to the **Teams** tab.

3. Select the ellipsis (three dots) in the **Actions** column and select **View Team**. Alternatively, you can directly select the **Team Name** in the first column.

   * Select **Edit Team** on the top right.
   * Add or remove existing members of the team as required.
   * Select **Update Team** to save changes.

## For Users in Standard and Enterprise Editions

**Invite New Users**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Select **Add User**.

3. Enter the new user's email address in **User Email** and then select the team from the **Teams** list that this user should be invited to. Selecting the team is optional.

4. By default, every user invited to the organization is added to the **Organization Owners** team and assigned the **Owner** role.

5. To change or add roles for each user, navigate to **Teams**, then select the team the user needs to be part of in the organization.

6. Select **Edit Team**, select the user from the list, and then select **Update Team**.

**Create a New Team**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Teams** tab.

3. Select **Create New Team**.

4. Add the details for **Team Name** and **Team Description**.

5. Select the users in the team.

6. Select **Create Team** to complete the creation.

**Update the Users of Existing Teams**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Teams** tab.

3. Select the ellipsis (three dots) in the **Actions** column and select **View Team**. Alternatively, you can directly select the team name in the **Name** column.

   * Select **Edit Team** on the top right.
   * Add or remove existing users of the team as required.
   * Select **Update Team** to save changes.

## Custom Role

**Create a Custom Role**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Roles** tab.

3. Select **Create Custom Role**.

4. In the **Create Role** dialog box,

   * Enter the **Name** and **Description** of the role.
   * Valid Names must start with a letter or underscore and can include letters, numbers, underscores, hyphens, or spaces.
   * Select the resource among **Organization**, **Workspace Group**, **Team**, and **Secret** for which you want to create the role.
   * Set the permissions for the role based on the selected resource.
   * Select **Create Role** to complete the creation.

**Edit a Custom Role**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Roles** tab.

3. Select **Custom** from the **Role** list to edit the role.

   * Select the role name in the **Name** column.
   * Select **Edit Role**.
   * Update the **Description** and set new permissions.
   * Select **Update Role** to save changes.

**Delete a Custom Role**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Roles** tab.

3. Select **Custom** from the **Role** list to edit the role.

4. Select the role name in the **Name** column.

5. In the **Actions** column, from the ellipsis (three dots), select **Delete Role**.

## Role Management

You can add or revoke both predefined and custom roles.

**Add a Role for a User**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Users** tab.

3. Select a user in the **Name** column.

4. Select the resource among **Organization**, **Workspace Group**, **Team**, and **Secret** for which you want to add the role.

5. Select **Add Role**. **Add Role For \<Resource>** dialog appears.

6. Follow the actions for different resources:
   | **Resource**   | **Action**                                                                                                                                                                                                                               |
   | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | Organization   | <ul> <li>Select a role from the <strong>Role</strong> list.Select <strong>Add Role</strong> to add a role in the organization.</li> <li>Select <strong>Add Role</strong> to add a role in the organization.</li> </ul>                   |
   | WorkspaceGroup | <ul> <li>Select a workspace group from the <strong>Workspace Group</strong> list.</li> <li>Select a role from the <strong>Role</strong> list.</li> <li>Select <strong>Add Role</strong> to add a role in the workspace group.</li> </ul> |
   | Team           | <ul> <li>Select a team from the <strong>Team</strong> list.</li> <li>Select a role from the <strong>Role</strong> list.</li> <li>Select <strong>Add Role</strong> to add a role in the team.</li> </ul>                                  |
   | Secret         | <ul> <li>Select a secret from the <strong>Secret</strong> list.</li> <li>Select a role from the <strong>Role</strong> list.</li> <li>Select <strong>Add Role</strong> to add a role in the team.</li> </ul>                              |

**Revoke a Role for a User**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Users** tab.

3. Select a user in the **Name** column.

4. Select the resource among **Organization**, **Workspace Group**, **Team**, and **Secret** for which you want to revoke the role.

5. Find the role you want to delete.

6. In the **Actions** column corresponding to the role you want to delete, select the trash bin icon.

7. Select **Revoke** to revoke/delete a role.

**Add a Role for a Team**

You cannot add roles on default teams. Roles can only be added in created teams.

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Teams** tab.

3. Select a team in the **Name** column.

4. Select the resource among **Organization**, **Workspace Group**, **Team**, and **Secret** for which you want to add the role.

5. Select **Add Role**. **Add Role For \<Resource>** dialog appears.

6. Follow the actions for different resources:
   | **Resource**   | **Action**                                                                                                                                                                                                                               |
   | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | Organization   | <ul> <li>Select a role from the <strong>Role</strong> list.Select <strong>Add Role</strong> to add a role in the organization.</li> <li>Select <strong>Add Role</strong> to add a role in the organization.</li> </ul>                   |
   | WorkspaceGroup | <ul> <li>Select a workspace group from the <strong>Workspace Group</strong> list.</li> <li>Select a role from the <strong>Role</strong> list.</li> <li>Select <strong>Add Role</strong> to add a role in the workspace group.</li> </ul> |
   | Team           | <ul> <li>Select a team from the <strong>Team</strong> list.</li> <li>Select a role from the <strong>Role</strong> list.</li> <li>Select <strong>Add Role</strong> to add a role in the team.</li> </ul>                                  |
   | Secret         | <ul> <li>Select a secret from the <strong>Secret</strong> list.</li> <li>Select a role from the <strong>Role</strong> list.</li> <li>Select <strong>Add Role</strong> to add a role in the team.</li> </ul>                              |

**Revoke a Role for a Team**

1. Navigate to the **Users & Permissions** option from the Organization menu at the top.

2. Switch to the **Teams** tab.

3. Select a team in the **Name** column.

4. Select the resource among **Organization**, **Workspace Group**, **Team**, and **Secret** for which you want to revoke the role.

5. Find the role you want to delete.

6. In the **Actions** column corresponding to the role you want to delete, select the trash bin icon.

7. Select **Revoke** to revoke/delete a role.

## Workspace Group Level

**Invite New Users**

1. Navigate to **Deployments** in the left navigation pane.

2. Select the workspace group that you want to invite the user to.

3. Select the **User Management** tab. 

4. Select **Add Members**.

5. In the **Add Member to Workspace group** dialog box, fill in the details.

6. Select **User** or **Team** from the list, select a user or the team from the list, and select a role. This applies to the workspace group-level roles that need to be added.

7. Select **Add Members** to save the changes.

8. You will be able to see the member or team added.

**Update Members in an Existing Workspace Group**

1. Navigate to **Deployments** in the left navigation pane.

2. Select the workspace group from the workspace group list that you want to invite the user to.

3. Select the **User Management** tab. 

4. Select the ellipsis (three dots) in the **Actions** column and then select **Edit Roles** next to the user to change the role of the user. To remove the user’s access from the workspace group completely, select **Revoke all Roles**.

5. In the **Edit Roles**, change the role for the user. 

6. Select **Update** to save the changes.

## Enabling RBAC for New and Existing Organizations

RBAC is enabled for all Organizations.

Pre-defined teams are created and granted common roles when RBAC is enabled. These teams include Organization Owners, Organization Billing Administrators, Organization User Administrators, Organization Operators, Organization Writers, and Organization Readers.

For new organizations, the initial users will be added to the Organization Owners team, which grants full access to all user actions. For existing organizations, users will be added to the Organization Owners teams, allowing those users continued access to any user actions. Any user in the Organization Owners team can reassign other users in the team to different teams to limit their access.

New users can be invited to join any team(s). Inviting a new user to join the Organization Owners team immediately grants them access to all resources in the organization. Inviting a new user without specifying a team adds them to the default members team, which makes them a member of the organization, but grants no specific access beyond the ability to login to the portal and navigate to the options available.

When users are added to an organization or a workspace group, synchronization takes place in the engine and they are added to the corresponding user groups in the backend.

***

Modified at: May 11, 2026

Source: [/cloud/security/administration/role-based-access-control-rbac-for-singlestore-helios/how-to-use-singlestore-helios-rbac/](https://docs.singlestore.com/cloud/security/administration/role-based-access-control-rbac-for-singlestore-helios/how-to-use-singlestore-helios-rbac/)

(An index of the documentation is available at /llms.txt)