Skip to main content
Upsun offers fine-grained and flexible user permissions across projects and organizations. When a user is added to a project, they are automatically added to your organization.

Available add-on

The Advanced User Management add-on offers teams, MFA enforcement within an organization and single sign-on. See how to subscribe to this add-on.

Manage project access

If you have set up an external integration to GitHub, GitLab, or Bitbucket and your users can’t clone the project locally, see how to troubleshoot source integrations.

Project roles

A user can have one of the following roles to control their access at project level:
RoleView environmentPush codeManage user accessChange settingsExecute actions on all environments
Project adminYesYesYesYesYes
Project viewerYesNoNoNoNo
By default, organization owners have Project admin access on all of the projects within their organization.

Environment type roles

An environment type (Production, Staging, and Development) groups one or more environments together so that you can manage access for all environments of that type:
  • A role assigned to an environment type applies to all environments of that type.
  • Only one environment per project can be of the type: Production. It is set automatically as the default branch and can’t be overridden separately.
  • You can change an environment’s type (except for the Production environment).
  • You can have multiple preview (staging and development) environments.
A user can have one of the following roles on an environment type which grants them permissions on all environments of this type:
RoleView environmentForce pushPush codeBranch environmentSSH accessChange settingsExecute actions
AdminYesYesYesYesYesYesYes
ContributorYesNoYesYesYesNoNo
ViewerYesNoNoYesNoNoNo
To customize which roles can use SSH, set access in your app configuration.

View a user’s permissions across all of the projects in your organization

For each user, you can view a summary of their roles and permissions across all projects in your organization.
This feature is available for v4.1.2+ of the CLI.Run a command similar to the following, using the email address of the user whose permissions you want to view:
upsun organization:user:projects --org <VariableBlock name="ORGANIZATION_NAME" /> <VariableBlock name="EMAIL_ADDRESS" />

Add a user to a project

To invite a user, you need to be a project admin. To add a user, follow these steps:
To add a user, run the following command:
upsun user:add <VariableBlock name="EMAIL_ADDRESS" /> -r <VariableBlock name="PERMISSIONS_TO_GRANT" />
For example, if you want to add user1@example.com to the project as a project admin, run the following command:
upsun user:add user1@example.com -r admin
If you want to add user2@example.com to the project as a contributor for Development environments and a viewer for Staging environments, run the following command:
upsun user:add user2@example.com -r development:contributor -r staging:viewer
The user has to create an account before they can access the project. Once you add a user to a project, they receive an invitation email with instructions. To apply SSH access changes after you add a user to a project, trigger a redeploy.

Manage project users

To manage user permissions on a project, you need to be a project admin, be an organization owner, or have the Manage users permission for the organization. To change user permissions, follow these steps:
To update an existing user’s permissions, run the following command:
upsun user:update <VariableBlock name="EMAIL_ADDRESS" /> -r <VariableBlock name="PERMISSIONS_TO_GRANT" />
If you want user1@example.com to be a viewer for Production environments and a contributor for Development environments, run the following command:
upsun user:update user1@example.com -r production:viewer,development:contributor
To apply SSH access changes after you add a remove a user from a project or environment type, trigger a redeploy.

Remove a user from a project

To remove a user from a project, you need to be a project admin, be an organization owner, or have the Manage users permission for the organization. To remove a user, follow these steps:
Run the following command:
upsun user:delete user1@example.com
To apply SSH access changes after changing a user’s permissions for an environment type, trigger a redeploy.

Manage organization access

All users who are added to any project within an organization become members of that organization. By default, such users have no organization permissions. You can also have organization users who aren’t part of any projects. Users who are a part of an organization with the List projects permission can see all projects in that organization at the organization’s URL, which takes the form https://console.upsun.com/<VariableBlock name="ORGANIZATION_NAME" />. They can only access projects they’ve been explicitly invited to. For more information on project access control, see how to manage project users.

Organization permissions

As an organization owner or an organization user with the Manage users permission, you can invite other users to your organization and grant them the following permissions:
  • Admin (owner): Manage the organization and access all organization permissions, including all listed below.
  • Manage billing (billing): Add, remove, and edit billing information. Access invoices and vouchers. Users with this permission receive monthly invoices by email.
  • Manage users (members): Add, remove, and edit organization-level users and permissions, except their own. Users with this permission can’t grant other users permissions that they themselves don’t have.
  • Create projects (projects:create): Create new projects within the organization.
  • List projects (projects:list): See all projects in an organization, even those the user can’t access.
Users with the Manage users (members) permission can add, edit, or remove any user’s permissions except their own.Users with the Manage billing (billing) permission automatically are granted List projects (projects:list) permission. That is, they are able to see all organization projects once given billing rights.
Users without any of these permissions can only access projects where they’re users. They can’t access or manage the rest of the organization. Organization owners have all permissions within their organization. Their permission level can’t be edited. Organization owners can’t be removed from their organization, except through an ownership transfer.

Viewer permissions

A user is considered a viewer only if all of the following are true:
  • Their organization-level permissions are limited to view, project:list, or billing
  • They are not an admin or contributor on any project
  • They do not have team-level access that grants admin permissions
If any of these conditions are not met, the user is counted as an admin for billing.

Add a user to an organization

To invite a user to your organization, run the following command:
upsun organization:user:add <VariableBlock name="EMAIL_ADDRESS" /> --org <VariableBlock name="ORGANIZATION_NAME" /> --permission <VariableBlock name="PERMISSIONS" />
For example, to invite alice@example.com to the acme organization with the Manage billing and Create projects permissions, run the following command:
upsun organization:user:add alice@example.com --org acme --permission billing,projects:create
All users you invite receive an invitation email with instructions.

Manage organization users

To update permissions for a user in your organization, run the following command:
upsun organization:user:update <VariableBlock name="EMAIL_ADDRESS" /> --org <VariableBlock name="ORGANIZATION_NAME" /> --permission <VariableBlock name="PERMISSIONS" />
For example, to update the permissions for alice@example.com in your acme organization so that she has only the Manage billing permission, run the following command:
upsun organization:user:update alice@example.com --org acme --permission billing

Remove a user from an organization

To update remove a user from your organization, run the following command:
upsun organization:user:delete <VariableBlock name="EMAIL_ADDRESS" /> --org <VariableBlock name="ORGANIZATION_NAME" />
For example, to remove alice@example.com from your acme organization, run the following command:
upsun organization:user:delete alice@example.com --org acme
Remove a user from an organization will remove them from all projects they were a member of.
Last modified on March 11, 2026