Predefined Organization Teams and their Corresponding Roles

The following teams are created and granted pre-defined roles when an organization is created.

Team	Role	Description	Permissions
`Organization Owners`	`Owner`	The initial user(s) created when the organization is created are added to this team. New users may be added to this team as part of the invitation to join the organization. Existing users in an organization are added to this group when RBAC is enabled for an existing organization. The Owner role granted to the Organization Owners team is special in that it cannot be revoked. This is to prevent owners from locking themselves out of their organization.	Approve Access Request Configure Billing Configure Identity Providers Configure SCIM Control Access Create Team Create Workspace Group Delete Edit Organization Invite Users Manage API Keys Monitor Operate View Billing
`Organization Billing Administrators`	`Billing Administrator`	This team can access usage information and invoices as well as configure payment information. Since they can see billing information for all workspaces, they can see the names of all workspace groups. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.	Configure Billing View Billing
`Organization User Administrators`	`User Administrator`	This team is initially empty, but new users may be added to this team as part of the invitation to join the organization.	Create Team Configure Identity Providers Configure SCIM Invite Users
`Organization Operators`	`Operator`	This team is granted the Operator role for the organization and all workspace groups in the organization. The members are responsible for managing all admin operations on the resources they have privileges on. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.	Operate
`Organization Writers`	`Writer`	This team is granted the Writer role for the organization and all workspace groups in the organization. The members have the privilege to both read and write to the workspace groups in the organization. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.	Read and write permissions on all databases
`Organization Readers`	`Reader`	This team is granted the Reader role for the organization and all workspace groups in the organization. The members have the privilege to only read from any workspace groups in the organization. It is initially empty, but new users may be added to this team as part of the invitation to join the organization.	Read permission on all databases
`Organization Observers`	`Observer`	This team is granted the view permissions for monitoring operations in the workspaces and workspace group of an organization. For example: they can open Grafana boards for each workspace group in the organization. This team is initially empty but new users may be added to this team as part of the invitation to join the organization.	Monitor
`Organization Members`	None	This team has the same name as the organization. This is the default team that contains all users with any access to the organization. All new users are automatically added to this team. Members of this team are granted no roles by default.	None

Last modified: February 5, 2024

Was this article helpful?