User Management¶
This guide covers managing users and permissions in your AG2Trust organization.
Understanding Roles¶
AG2Trust uses role-based access control (RBAC) with four roles:
| Role | Description |
|---|---|
| Owner | Full access, including billing and org deletion |
| Admin | Full access except billing and API key management |
| Member | Can create/manage agents, teams, workflows |
| Viewer | Read-only access to all resources |
Permission Matrix¶
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View dashboard | ||||
| View agents/teams | ||||
| Create agents | ||||
| Edit agents | ||||
| Delete agents | ||||
| Create teams | ||||
| Create workflows | ||||
| Manage providers | ||||
| Invite users | ||||
| Remove users | ||||
| Change user roles | ||||
| View API keys | ||||
| Create API keys | ||||
| Revoke API keys | ||||
| Billing access | ||||
| Data retention settings | ||||
| Delete organization |
Inviting Users¶
Send an Invitation¶
- Go to Users in the sidebar
- Click Invite User
- Enter the user's email address
- Select a role
- Click Send Invitation
The user receives an email with: - Invitation link - Organization name - Assigned role
Invitation States¶
| State | Description |
|---|---|
| Pending | Email sent, not yet accepted |
| Accepted | User joined the organization |
| Expired | 7 days passed without acceptance |
Resend Invitation¶
For pending invitations:
- Go to Users
- Find the pending invitation
- Click Resend
Managing Users¶
View Users¶
The Users page shows:
- Active users
- Pending invitations
- User roles
- Last active timestamp
Change User Role¶
- Go to Users
- Find the user
- Click the role dropdown
- Select new role
- Confirm the change
Role Change Effects
Role changes take effect immediately. The user may lose access to features if downgraded.
Remove User¶
- Go to Users
- Find the user
- Click Remove
- Confirm removal
Removed users: - Lose access immediately - Cannot see organization resources - Can be re-invited later
Organization Ownership¶
Owner Responsibilities¶
The organization owner:
- Has full access to all features
- Manages billing and subscription
- Can delete the organization
- Cannot leave (must transfer or delete)
Transferring Ownership¶
To transfer ownership:
- Go to Settings > Organization
- Click Transfer Ownership
- Select a user (must be Admin)
- Confirm the transfer
After transfer: - New owner has full access - Previous owner becomes Admin - Cannot be undone (new owner must re-transfer)
Best Practices¶
1. Minimize Owner Count¶
Recommended:
├── 1 Owner (founder/CTO)
├── 2-3 Admins (engineering leads)
├── Team Members
└── Viewers (stakeholders)
2. Use Appropriate Roles¶
| User Type | Recommended Role |
|---|---|
| Founder/CEO | Owner |
| Engineering Lead | Admin |
| Developer | Member |
| Product Manager | Member or Viewer |
| Stakeholder | Viewer |
| Contractor | Member (limited time) |
3. Regular Access Reviews¶
Monthly checklist: - [ ] Remove departed employees - [ ] Review role appropriateness - [ ] Check pending invitations - [ ] Verify no unnecessary admins
4. Document Access Decisions¶
Maintain a log of: - Who was granted access - What role and why - When access was granted - When access should be reviewed
Resource Ownership¶
Organization-Owned Resources¶
All resources belong to the organization, not individual users:
Organization: Acme Corp
├── Agents (belong to org)
├── Teams (belong to org)
├── Workflows (belong to org)
└── API Keys (belong to org)
This means:
- No "my agents" vs "your agents"
- Users don't own what they create
- Resources stay when users leave
- Permissions are binary per role
Implications¶
| Scenario | Result |
|---|---|
| User creates agent | Org owns agent |
| User leaves | Agent stays |
| User demoted to Viewer | Can still see all agents |
| User promoted to Admin | Can manage all agents |
Audit Trail¶
All user management actions are logged:
{
"event": "user_role_changed",
"actor": "owner@company.com",
"target": "developer@company.com",
"old_role": "member",
"new_role": "admin",
"timestamp": "2025-01-15T10:30:00Z"
}
View audit logs in Compliance > Audit Logs.
Troubleshooting¶
User can't log in¶
- Check invitation was accepted
- Verify user email is correct
- Check user wasn't removed
- Have them reset password
User missing permissions¶
- Check user's current role
- Verify role has needed permission
- Upgrade role if appropriate
- Check for UI bugs (refresh)
Can't invite users¶
- Verify you're Owner or Admin
- Check invitation limit (plan-based)
- Ensure email is valid format
- Check for existing invitation
Enterprise Features¶
Single Sign-On (SSO)¶
Coming soon
SAML 2.0 integration for enterprise identity providers: - Okta - Azure AD - OneLogin - Google Workspace
Directory Sync¶
Coming soon
Automatic user provisioning from identity provider.
Next Steps¶
- Security Model - Full security details
- Data Retention - GDPR compliance
- API Keys - API key management