> ## Documentation Index
> Fetch the complete documentation index at: https://developer.upsun.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Administer users

> Manage user access and permissions across all your projects and organizations.

export const VariableBlock = ({name}) => {
  return <var spellCheck={false} title={`Replace '${name}' with your own data`}>{name}</var>;
};

export const SettingsIcon = () => <svg width="24px" height="24px" style={{
  display: 'inline',
  verticalAlign: 'middle'
}}>
    <title id="settings-icon">Settings</title>
    <path d="M10.5289 21.9416C9.86066 21.8582 9.3595 21.3576 9.19245 20.6903L9.02539 19.6892C8.85834 19.6058 8.77482 19.6058 8.60776 19.5224L7.93955 20.0229C7.43839 20.44 6.68665 20.44 6.10196 20.0229C6.10196 20.0229 4.09732 18.1042 4.01379 17.9374C3.51263 17.3535 3.51263 16.6027 3.93027 16.0187L4.51495 15.3514C4.43143 15.1845 4.43143 15.1011 4.3479 14.9343L3.42911 14.7674C2.76089 14.684 2.25973 14.1835 2.09268 13.4327C2.00915 13.1824 2.09268 10.4296 2.09268 10.4296C2.17621 9.76222 2.67737 9.2617 3.34558 9.09486L4.3479 8.92802C4.43143 8.8446 4.43143 8.76118 4.51495 8.59434L4.01379 7.92697C3.59616 7.42645 3.59616 6.67567 4.01379 6.09173C4.01379 6.09173 5.93491 4.08964 6.10196 4.00622C6.68665 3.5057 7.43839 3.5057 8.02307 3.9228L8.69129 4.50675C8.85834 4.42333 8.94187 4.42333 9.10892 4.33991L9.27597 3.42228C9.3595 2.75492 9.86066 2.2544 10.6124 2.08756C10.863 2.00414 13.2853 2.00414 13.5358 2.08756H13.6194C14.2876 2.17098 14.7887 2.6715 14.9558 3.33886L15.1228 4.33991C15.2064 4.42333 15.2899 4.50675 15.457 4.50675L16.1252 4.00622C16.6263 3.58912 17.3781 3.58912 17.9628 4.00622C17.9628 4.00622 19.9674 5.92489 20.0509 6.09173C20.5521 6.67567 20.5521 7.42645 20.1344 8.0104L19.6333 8.67776C19.7168 8.8446 19.7168 9.01144 19.8003 9.09486L20.7191 9.2617C21.3873 9.34512 21.972 9.92906 22.0556 10.5964V13.5996C21.972 14.2669 21.4709 14.7674 20.8027 14.9343L19.8003 15.1011C19.7168 15.268 19.7168 15.3514 19.6333 15.5182L20.218 16.269C20.6356 16.7695 20.6356 17.5203 20.218 18.1042L18.0463 20.2732C17.4616 20.6903 16.7099 20.6903 16.2087 20.2732L15.3734 19.6058C15.2064 19.6892 15.1228 19.6892 14.9558 19.7726L14.7887 20.6903C14.7052 21.3576 14.1205 21.9416 13.4523 22.025H10.5289V21.9416ZM11.5312 20.3566C11.8653 20.3566 12.1994 20.3566 12.45 20.3566C12.8676 20.3566 13.2017 20.0229 13.2853 19.6058L13.3688 18.9384C13.3688 18.6882 13.6194 18.4379 13.8699 18.2711L15.1228 17.7706C15.3734 17.6871 15.7075 17.6871 15.9581 17.854L16.5428 18.2711C16.8769 18.5213 17.3781 18.5213 17.6286 18.1877C17.7957 18.0208 18.0463 17.7706 18.2969 17.5203C18.5474 17.1866 18.631 16.7695 18.3804 16.4358L17.8792 16.0187C17.7122 15.7685 17.6286 15.4348 17.7957 15.1845L18.2969 14.0167C18.3804 13.7664 18.631 13.5996 18.9651 13.5161L19.6333 13.4327C20.0509 13.3493 20.385 13.0156 20.385 12.5985C20.385 12.2648 20.385 11.9311 20.385 11.6809C20.385 11.2638 20.0509 10.9301 19.6333 10.8467L18.9651 10.7633C18.7145 10.7633 18.4639 10.513 18.2969 10.2627L17.7957 9.01144C17.7122 8.76118 17.7122 8.4275 17.8792 8.17724L18.2969 7.59329C18.5474 7.25961 18.5474 6.84251 18.2133 6.50883C18.0463 6.34199 17.7957 6.09173 17.5451 5.84147C17.211 5.50779 16.7934 5.50779 16.4593 5.75805L16.0416 6.17515C15.7911 6.34199 15.457 6.42541 15.2064 6.25857L14.037 5.75805C13.7864 5.67463 13.6194 5.42437 13.5358 5.09069L13.3688 4.50675C13.2853 4.08964 12.9511 3.75596 12.5335 3.75596C12.1994 3.75596 11.8653 3.75596 11.6147 3.75596C11.1971 3.75596 10.863 4.08964 10.7795 4.50675L10.6959 5.17411C10.6959 5.42437 10.4453 5.67463 10.1948 5.84147L9.02539 6.25857C8.69129 6.42541 8.44071 6.34199 8.19013 6.17515L7.60544 5.75805C7.27133 5.50779 6.77017 5.50779 6.51959 5.84147C6.26901 6.00831 6.10196 6.25857 5.85138 6.42541C5.6008 6.75909 5.51727 7.17619 5.85138 7.50987L6.18549 8.09382C6.35254 8.34408 6.43607 8.67776 6.26901 8.92802L5.76785 10.0959C5.68433 10.3462 5.43375 10.513 5.09964 10.5964L4.43143 10.6798C4.01379 10.7633 3.67969 11.0969 3.67969 11.514C3.67969 11.8477 3.67969 12.1814 3.67969 12.4317C3.67969 12.8488 4.01379 13.1825 4.43143 13.2659L5.09964 13.3493C5.35022 13.3493 5.6008 13.5996 5.76785 13.8498L6.26901 15.1011C6.35254 15.3514 6.35254 15.6851 6.18549 15.9353L5.76785 16.5193C5.51727 16.8529 5.51727 17.3535 5.85138 17.6037C6.01843 17.7706 6.26901 18.0208 6.51959 18.2711C6.8537 18.5213 7.27133 18.6048 7.60544 18.3545L8.02307 17.854C8.27365 17.6871 8.60776 17.6037 8.85834 17.7706L10.0277 18.2711C10.2783 18.3545 10.4453 18.6048 10.5289 18.9384L10.6124 19.6058C10.7795 20.0229 11.1136 20.3566 11.5312 20.3566ZM18.798 6.92593C18.798 6.92593 18.798 7.00935 18.798 6.92593V6.92593Z"></path>
    <path d="M12.0324 17.0198C9.27597 17.0198 7.02075 14.7675 7.02075 12.0146C7.02075 9.26172 9.27597 7.00937 12.0324 7.00937C14.7887 7.00937 17.044 9.26172 17.044 12.0146C17.044 14.7675 14.7887 17.0198 12.0324 17.0198ZM12.0324 8.67777C10.1948 8.67777 8.69129 10.1793 8.69129 12.0146C8.69129 13.8498 10.1948 15.3514 12.0324 15.3514C13.8699 15.3514 15.3734 13.8498 15.3734 12.0146C15.3734 10.1793 13.8699 8.67777 12.0324 8.67777Z"></path>
  </svg>;

export const MoreIcon = () => <svg width="24px" height="24px" style={{
  display: 'inline',
  verticalAlign: 'middle'
}}>
    <title id="more-icon">More</title>
    <path d="M12 6.5C12.8284 6.5 13.5 5.82843 13.5 5C13.5 4.17157 12.8284 3.5 12 3.5C11.1716 3.5 10.5 4.17157 10.5 5C10.5 5.82843 11.1716 6.5 12 6.5Z" fill="current"></path>
    <path d="M12 13.5C12.8284 13.5 13.5 12.8284 13.5 12C13.5 11.1716 12.8284 10.5 12 10.5C11.1716 10.5 10.5 11.1716 10.5 12C10.5 12.8284 11.1716 13.5 12 13.5Z" fill="current"></path>
    <path d="M12 20.5C12.8284 20.5 13.5 19.8284 13.5 19C13.5 18.1716 12.8284 17.5 12 17.5C11.1716 17.5 10.5 18.1716 10.5 19C10.5 19.8284 11.1716 20.5 12 20.5Z" fill="current"></path>
  </svg>;

Upsun offers fine-grained and flexible user permissions across projects and organizations.
When a user is added to a project, they are automatically added to your organization.

<Note>
  <h4>Available add-on</h4>
  The Advanced User Management add-on offers [teams](/docs/administration/teams), [MFA enforcement within an organization](/docs/administration/security/mfa) and [single sign-on](/docs/administration/security/sso). See how to [subscribe to this add-on](/docs/administration/billing/add-on-subscription#advanced-user-management-add-on).
</Note>

## Manage project access

If you have set up an external integration to GitHub, GitLab, or Bitbucket and your users can't clone the project locally,
see how to [troubleshoot source integrations](/docs/integrations/source/troubleshoot).

### Project roles

A user can have one of the following roles to control their access at project level:

| Role           | View environment | Push code | Manage user access | Change settings | Execute actions on all environments |
| -------------- | ---------------- | --------- | ------------------ | --------------- | ----------------------------------- |
| Project admin  | Yes              | Yes       | Yes                | Yes             | Yes                                 |
| Project viewer | Yes              | No        | No                 | No              | No                                  |

By default, organization owners have **Project admin** access on all of the projects within their organization.

### Environment type roles

An environment type (Production, Staging, and Development) groups one or more environments together so that you can manage access for all environments of that type:

* A role assigned to an environment type applies to all environments of that type.
* Only one environment per project can be of the type: Production.
  It is set automatically as the default branch and can't be overridden separately.
* You can change an environment's type (except for the Production environment).
* You can have multiple preview (staging and development) environments.

A user can have one of the following roles on an environment type which grants them permissions on all environments of this type:

| Role        | View environment | Force push | Push code | Branch environment | SSH access | Change settings | Execute actions |
| ----------- | ---------------- | ---------- | --------- | ------------------ | ---------- | --------------- | --------------- |
| Admin       | Yes              | Yes        | Yes       | Yes                | Yes        | Yes             | Yes             |
| Contributor | Yes              | No         | Yes       | Yes                | Yes        | No              | No              |
| Viewer      | Yes              | No         | No        | Yes                | No         | No              | No              |

To customize which roles can use SSH, set [`access` in your app configuration](/docs/configure-apps/image-properties/access).

### View a user's permissions across all of the projects in your organization

For each user, you can view a summary of their roles and permissions
across all projects in your organization.

<Tabs>
  <Tab title="Using the CLI">
    This feature is available for **v4.1.2+** of the CLI.

    Run a command similar to the following,
    using the email address of the user whose permissions you want to view:

    ```bash theme={null}
    upsun organization:user:projects --org <ORGANIZATION_NAME> <EMAIL_ADDRESS>
    ```
  </Tab>

  <Tab title="In the Console">
    1. Open the organization menu (your organization name in the upper-left).
    2. Click **Users**.
    3. For the user whose user permissions you want to view, click **<MoreIcon /> More**.
    4. Click **Edit user**.
  </Tab>
</Tabs>

### Add a user to a project

To invite a user, you need to be a [project admin](#project-roles).

To add a user, follow these steps:

<Tabs>
  <Tab title="Using the CLI">
    To add a user, run the following command:

    ```bash theme={null}
    upsun user:add <EMAIL_ADDRESS> -r <PERMISSIONS_TO_GRANT>
    ```

    For example, if you want to add `user1@example.com` to the project as a project admin,
    run the following command:

    ```bash theme={null}
    upsun user:add user1@example.com -r admin
    ```

    If you want to add `user2@example.com` to the project as a contributor for Development environments
    and a viewer for Staging environments,
    run the following command:

    ```bash theme={null}
    upsun user:add user2@example.com -r development:contributor -r staging:viewer
    ```
  </Tab>

  <Tab title="In the Console">
    1. Select the project where you want to add a new user.
    2. Click <SettingsIcon /> **Settings**.
    3. Click **Access**.
    4. Click **+ Add**.
    5. Add the user's details and choose their permissions.
    6. Click **Save**.
  </Tab>
</Tabs>

The user has to create an account before they can access the project.
Once you add a user to a project, they receive an invitation email with instructions.

To apply SSH access changes after you add a user to a project,
[trigger a redeploy](/docs/troubleshooting/general#force-a-redeploy).

### Manage project users

To manage user permissions on a project, you need to be a [project admin](#project-roles),
be an organization owner, or have the [**Manage users** permission for the organization](#organization-permissions).

To change user permissions, follow these steps:

<Tabs>
  <Tab title="Using the CLI">
    To update an existing user's permissions, run the following command:

    ```bash theme={null}
    upsun user:update <EMAIL_ADDRESS> -r <PERMISSIONS_TO_GRANT>
    ```

    If you want `user1@example.com` to be a viewer for Production environments
    and a contributor for Development environments,
    run the following command:

    ```bash theme={null}
    upsun user:update user1@example.com -r production:viewer,development:contributor
    ```
  </Tab>

  <Tab title="In the Console">
    1. Select the project where you want to update user access.
    2. Click <SettingsIcon /> **Settings**.
    3. Click **Access**.
    4. Click the user you want to update permissions for.
    5. Update environment type permissions, or click **Remove user**.
    6. Click **Accept**.
  </Tab>
</Tabs>

To apply SSH access changes after you add a remove a user from a project or environment type,
[trigger a redeploy](/docs/troubleshooting/general#force-a-redeploy).

### Remove a user from a project

To remove a user from a project, you need to be a [project admin](#project-roles),
be an organization owner, or have the [**Manage users** permission for the organization](#organization-permissions).

To remove a user, follow these steps:

<Tabs>
  <Tab title="Using the CLI">
    Run the following command:

    ```bash theme={null}
    upsun user:delete user1@example.com
    ```
  </Tab>

  <Tab title="In the Console">
    1. Open the organization menu (your organization name in the upper-left).
    2. Click **Users**.
    3. For the user you want to remove, click **<MoreIcon /> More**.
    4. Click on the **Projects** tab
    5. For the project you want to remove them from, click **<MoreIcon /> More**.
    6. Click **Remove from project**.
    7. Click **Yes**.
  </Tab>
</Tabs>

To apply SSH access changes after changing a user's permissions for an environment type,
[trigger a redeploy](/docs/troubleshooting/general#force-a-redeploy).

## Manage organization access

All users who are added to any project within an organization become members of that organization.
By default, such users have no [organization permissions](#organization-permissions).
You can also have organization users who aren't part of any projects.

Users who are a part of an organization with the **List projects** permission can see all projects in that organization at the organization's URL,
which takes the form `https://console.upsun.com/<ORGANIZATION_NAME>`.
They can only access projects they've been explicitly invited to.
For more information on project access control, see how to [manage project users](#manage-project-users).

### Organization permissions

As an organization owner or an organization user with the **Manage users** permission, you can invite other users to your organization and grant them the following permissions:

* **Admin** (`owner`):
  Manage the organization and access all organization permissions, including all listed below.
* **Manage billing** (`billing`):
  Add, remove, and edit billing information.
  Access invoices and vouchers.
  Users with this permission receive monthly invoices by email.
* **Manage users** (`members`):
  Add, remove, and edit organization-level users and permissions, except their own.
  Users with this permission can't grant other users permissions that they themselves don't have.
* **Create projects** (`projects:create`):
  Create new projects within the organization.
* **List projects** (`projects:list`):
  See all projects in an organization, even those the user can't access.

<Note>
  Users with the **Manage users** (`members`) permission can add, edit, or remove *any* user's permissions except their own.

  Users with the **Manage billing** (`billing`) permission automatically are granted **List projects** (`projects:list`) permission.
  That is, they are able to see all organization projects once given billing rights.
</Note>

Users without any of these permissions can only access [projects where they're users](#project-roles).
They can't access or manage the rest of the organization.

Organization owners have all permissions within their organization.
Their permission level can't be edited.
Organization owners can't be removed from their organization,
except through an [ownership transfer](/docs/administration/organizations#transfer-project-ownership).

#### Viewer permissions

A user is considered a viewer only if **all** of the following are true:

* Their organization-level permissions are limited to **view**, `project:list`, or **billing**
* They are **not** an admin or contributor on any project
* They do **not** have team-level access that grants admin permissions

<Note>
  If any of these conditions are not met, the user is counted as an **admin** for billing.
</Note>

### Add a user to an organization

<Tabs>
  <Tab title="Using the CLI">
    To invite a user to your organization, run the following command:

    ```bash theme={null}
    upsun organization:user:add <EMAIL_ADDRESS> --org <ORGANIZATION_NAME> --permission <PERMISSIONS>
    ```

    For example, to invite `alice@example.com` to the `acme` organization
    with the **Manage billing** and **Create projects** permissions, run the following command:

    ```bash theme={null}
    upsun organization:user:add alice@example.com --org acme --permission billing,projects:create
    ```
  </Tab>

  <Tab title="Using the Console">
    1. Open the organization menu (your organization name in the upper-left).
    2. Click **Users**.
    3. Click **+ Invite users**.
    4. Enter the users' email addresses separated by commas.
    5. Select which organization-wide permissions they should have.
    6. Click **Invite**.
  </Tab>
</Tabs>

All users you invite receive an invitation email with instructions.

### Manage organization users

<Tabs>
  <Tab title="Using the CLI">
    To update permissions for a user in your organization, run the following command:

    ```bash theme={null}
    upsun organization:user:update <EMAIL_ADDRESS> --org <ORGANIZATION_NAME> --permission <PERMISSIONS>
    ```

    For example, to update the permissions for `alice@example.com` in your `acme` organization
    so that she has only the **Manage billing** permission, run the following command:

    ```bash theme={null}
    upsun organization:user:update alice@example.com --org acme --permission billing
    ```
  </Tab>

  <Tab title="Using the Console">
    1. Open the organization menu (your organization name in the upper-left).
    2. Click **Users**.
    3. Next to the user you want to manage, click **<MoreIcon /> More**.
    4. Click **Edit user**.

    You see all the projects the user is a part of and their permissions in those projects.
    You also see their permissions across the organization.

    To edit their organization permissions, follow these steps:

    1. Select or clear the checkboxes for the relevant permissions.
    2. Click **Save**.
    3. Click **Yes**.
  </Tab>
</Tabs>

### Remove a user from an organization

<Tabs>
  <Tab title="Using the CLI">
    To update remove a user from your organization, run the following command:

    ```bash theme={null}
    upsun organization:user:delete <EMAIL_ADDRESS> --org <ORGANIZATION_NAME>
    ```

    For example, to remove `alice@example.com` from your `acme` organization, run the following command:

    ```bash theme={null}
    upsun organization:user:delete alice@example.com --org acme
    ```
  </Tab>

  <Tab title="Using the Console">
    1. Open the organization menu (your organization name in the upper-left).
    2. Click **Users**.
    3. Next to the user you want to remove, click **<MoreIcon /> More**.
    4. Click **Remove from organization**.

    To delete users in bulk, select the users to remove and click **Remove users from organization**.
  </Tab>
</Tabs>

Remove a user from an organization will remove them from all projects they were a member of.