Predefined Organization Teams and their Corresponding Roles

Organization Owners

Owner

The initial user(s) created when the organization is created are added to this team. New users may be added to this team as part of the invitation to join the organization. Existing users in an organization are added to this group when RBAC is enabled for an existing organization.  The Owner role granted to the Organization Owners team is special in that it cannot be revoked. This is to prevent owners from locking themselves out of their organization.

• Approve Access Request

• Configure Billing

• Configure Identity Providers

• Configure SCIM

• Control Access

• Create Team

• Create Workspace Group

• Delete

• Edit Organization

• Invite Users

• Manage API Keys

• Monitor

• Operate

• View Billing

Organization Billing Administrators

Billing Administrator

This team can access usage information and invoices as well as configure payment information. Since they can see billing information for all workspaces, they can see the names of all workspace groups.

It is initially empty, but new users may be added to this team as part of the invitation to join the organization.

• Configure Billing

• View Billing

Organization User Administrators

User Administrator

This team is initially empty, but new users may be added to this team as part of the invitation to join the organization.

• Create Team

• Configure Identity Providers

• Configure SCIM

• Invite Users

Organization Operators

Operator

This team is granted the Operator role for the organization and all workspace groups in the organization. The members are responsible for managing all admin operations on the resources they have privileges on. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.

• Operate

Organization Writers

Writer

This team is granted the Writer role for the organization and all workspace groups in the organization. The members have the privilege to both read and write to the workspace groups in the organization. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.

• Read and write permissions on all databases

Organization Readers

Reader

This team is granted the Reader role for the organization and all workspace groups in the organization. The members have the privilege to only read from any workspace groups in the organization. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.

• Read permission on all databases

Organization Observers

Observer

This team is granted the view permissions for monitoring operations in the workspaces and workspace group of an organization. For example: they can open Grafana boards for each workspace group in the organization. This team is initially empty but new users may be added to this team as part of the invitation to join the organization.

• Monitor

Organization Members

None

This team has the same name as the organization. This is the default team that contains all users with any access to the organization. All new users are automatically added to this team. Members of this team are granted no roles by default.

None