Manage users

Users are one of the primary access principals in Temporal Cloud. Each user is assigned one account-level role, and each role has a set of permissions. In addition to account-level roles, users can also be assigned Namespace-level permissions for specific Namespaces. Each user can only perform an action if they have a role that grants them the necessary permissions.

When you register for Temporal Cloud without joining an existing account, you are assigned the Account Owner role for a new account. You can then invite other users to join the account and assign them roles.

Invite users to your Temporal Cloud account

Web UI

To invite users using the Temporal Cloud UI:

1. In Temporal Web UI, select Settings in the left portion of the window.
2. On the Settings page, select Create Users in the upper-right portion of the window.
3. On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
4. In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
5. If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
6. When all permissions are assigned, select Send Invite.

tcld

Use the tcld user invite command. Specify the user's email, an account-level role, and optionally one or more Namespace permissions.

Available account roles: admin | developer | read.

Available Namespace permissions: Admin | Write | Read.

tcld user invite \
  --user-email <user@example.com> \
  --account-role <role> \
  --namespace-permission <namespace>=<permission>

You can invite multiple users and assign multiple Namespace permissions in a single request:

tcld user invite \
  --user-email user1@example.com \
  --user-email user2@example.com \
  --account-role developer \
  --namespace-permission ns1=Admin \
  --namespace-permission ns2=Write

Cloud Ops API

You can invite users pragmatically using the Cloud Ops API.

1. Create a connection to your Temporal Service using the Cloud Operations API.
2. Use the CreateUser service to create a user.

The new users receive an email with a link to accept the invitation and complete their setup. The new user must use this link to sign up to be added to your account unless the account has a SAML configuration. If your account has a SAML configuration, the new user can sign in using their existing SAML credentials and be included in the account automatically.

caution

The new user must use the same authentication method they originally signed up with to sign in to Temporal Cloud. If they used single sign-on (SSO), they must use the same SSO provider to sign in to Temporal Cloud. If they used email and password authentication, they must use the same email and password to sign in to Temporal Cloud, and cannot use SSO, even if the underlying email address is the same.

Global Admin roles cannot assign the Account Owner role or the Finance Admin role to new users they invite to the account.

Update a user's account-level role

With Global Admin or Account Owner privileges, you can update any user's account-level role. The Account Owner role can only be granted by existing Account Owners.

For security reasons, you cannot remove the Account Owner role from a user. Removing the Account Owner role must be made through Temporal Support. To remove the Account Owner role, you must submit a support ticket.

Web UI

1. In Temporal Web UI, select Settings in the left portion of the window.
2. On the Settings page, select the user.
3. On the user profile page, select Edit User.
4. On the Edit User page in Account Level Role, select the role.
5. Select Save.

tcld

Use the tcld user set-account-role command. Specify the user by email or ID and the new role.

Available account roles: admin | developer | read. The Account Owner and Finance Admin roles cannot be assigned through tcld; use the Web UI or Cloud Ops API to assign these roles.

tcld user set-account-role --user-email <user@example.com> --account-role <role>

You can also identify the user by ID:

tcld user set-account-role --user-id <user-id> --account-role <role>

Cloud Ops API

Use the UpdateUser endpoint to update a user's account-level role.

POST /cloud/users/{userId}

The request body includes a spec with the user's access.account_access.role field set to the desired role.

Available roles: ROLE_OWNER | ROLE_ADMIN | ROLE_DEVELOPER | ROLE_FINANCE_ADMIN | ROLE_READ.

Update a user's Namespace-level permissions

You can update Namespace-level permissions for any user.

note

A user with the Account Owner or Global Admin account-level role has Namespace Admin permissions for all Namespaces.

Web UI

Update a user's permissions across multiple Namespaces:

1. In Temporal Web UI, select Namespaces in the left portion of the window.
2. On the Namespaces page, select the Namespace.
3. If necessary, scroll down to the list of permissions.
4. On the user profile page in Namespace permissions, select the Namespace.
5. On the Namespace page in Account Level Role, select the role.
6. Select Save.

Update permissions for multiple users within a single Namespace:

1. In Temporal Web UI, select Settings in the left portion of the window.
2. On the Settings page in the Users tab, select the user.
3. On the user profile page, select Edit User.
4. On the Edit User page in Namespace permissions, change the permissions for one or more Namespaces.
5. Select Save.

tcld

Use the tcld user set-namespace-permissions command. Specify the user by email or ID and one or more Namespace permissions.

Each permission value must be in the format namespace=permission-type.

Available Namespace permissions: Admin | Write | Read.

tcld user set-namespace-permissions --user-email <user@example.com> --namespace-permission <namespace>=<permission>

You can set multiple Namespace permissions in a single request:

tcld user set-namespace-permissions --user-email <user@example.com> \
  --namespace-permission ns1=Admin \
  --namespace-permission ns2=Write

Cloud Ops API

Use the SetUserNamespaceAccess endpoint to set a user's permission for a specific Namespace.

POST /cloud/namespaces/{namespace}/users/{userId}/access

Set the access.permission field to the desired permission.

Available permissions: PERMISSION_ADMIN | PERMISSION_WRITE | PERMISSION_READ.

Delete a user from your Temporal Cloud account

You can delete a user from your Temporal Cloud account.

info

To delete a user, a user must have the Account Owner or Global Admin account-level role.

Web UI

1. In Temporal Web UI, select Settings in the left portion of the window.
2. On the Settings page, find the user and, on the right end of the row, select Delete.
3. In the Delete User dialog, select Delete.

You can also delete a user in two other ways in Web UI:

• User profile page: Select the down arrow next to Edit User and then select Delete.
• Edit User page: Select Delete User.

tcld

Use the tcld user delete command. Specify the user by email or ID.

tcld user delete --user-email <user@example.com>

You can also identify the user by ID:

tcld user delete --user-id <user-id>

Cloud Ops API

Use the DeleteUser endpoint to remove a user from your account.

DELETE /cloud/users/{userId}