Managing Members
Members are users who have access to your organization. This guide covers inviting team members, managing roles, and handling access.
Member Roles
Teabar uses a simple two-role model:
| Role | Description |
|---|---|
| Admin | Full organization control, member management, billing access |
| Member | Create and manage environments, view resources |
Admin Capabilities
- Invite and remove members
- Change member roles
- Create and delete projects
- Access all environments (including others’)
- Manage organization settings
- View billing and usage reports
- Generate organization-wide API keys
- View audit logs
Member Capabilities
- Create environments in any project
- Manage own environments
- View all environments (read-only for others’)
- View blueprints and catalog
- Generate personal API keys
- Cannot manage members or organization settings
Inviting Members
Via Web Console
- Go to Organization Settings > Members
- Click “Invite Member”
- Enter email address
- Select role (Admin or Member)
- Optionally add a welcome message
- Click “Send Invitation”
The invited user receives an email with a link to join.
Via CLI
# Invite as member (default role)
teactl member invite [email protected]
# Invite as admin
teactl member invite [email protected] --role admin
# With custom message
teactl member invite [email protected]
--message "Welcome! You've been invited to access our training environments."Invitation Expiration
- Invitations expire after 7 days
- Resend invitations to generate a new link:
teactl member resend [email protected]Bulk Invitations
Invite multiple members at once:
# From a file
cat emails.txt | xargs -I {} teactl member invite {}
# Inline
for email in [email protected] [email protected]; do
teactl member invite $email
doneViewing Members
Via Web Console
Navigate to Organization Settings > Members to see:
- Member list with roles and status
- Pending invitations
- Last activity timestamps
Via CLI
# List all members
teactl member list
# Filter by role
teactl member list --role admin
# Filter by status
teactl member list --status pending
# Get member details
teactl member get [email protected]Changing Roles
Promote to Admin
Web Console:
- Go to Members list
- Click the member’s row
- Click “Change Role”
- Select “Admin”
- Confirm
CLI:
teactl member update [email protected] --role adminDemote to Member
teactl member update [email protected] --role memberWarning
You cannot change your own role. Another admin must make changes to your membership.
Removing Members
Via Web Console
- Go to Members list
- Click the member’s row
- Click “Remove from Organization”
- Confirm removal
Via CLI
# With confirmation
teactl member remove [email protected]
# Skip confirmation
teactl member remove [email protected] --yesWhat Happens When a Member is Removed
- Access revoked immediately - User can no longer access organization resources
- Environments preserved - Environments created by the user remain in the organization
- API keys revoked - All API keys for that user in this organization are invalidated
- Activity history retained - Audit logs and activity records are preserved
Member Activity
Viewing Activity
Web Console:
- Member profile shows recent activity
- Audit logs show all member actions
CLI:
# Get member details including activity
teactl member get [email protected]
# View audit logs for a member
teactl activity list --actor [email protected]Activity Tracking
Member activity tracked includes:
- Environment operations (create, start, stop, delete)
- Blueprint changes
- API key usage
- Login events
- Administrative actions
Single Sign-On (SSO)
OIDC Integration
Teabar supports OIDC providers for authentication:
- Google Workspace
- Microsoft Azure AD
- Okta
- Auth0
- Keycloak
- Any OIDC-compliant provider
Configure SSO in Organization Settings > Security.
SSO vs Email Invitations
| Method | Use Case |
|---|---|
| Email Invitation | External collaborators, contractors |
| SSO | Internal team members with corporate identity |
With SSO enabled, users can join via:
- Email invitation (explicit)
- SSO domain matching (automatic for verified domains)
Best Practices
Access Management
- Principle of least privilege - Start with member role, promote to admin only when needed
- Regular access reviews - Audit member list monthly
- Prompt offboarding - Remove access immediately when someone leaves
Role Assignment Guidelines
| Use Case | Recommended Role |
|---|---|
| Team lead, DevOps engineer | Admin |
| Developer, QA engineer | Member |
| External contractor | Member |
| Billing/finance | Admin (for billing access) |
Security Recommendations
- Limit admins - Keep admin count minimal
- Use SSO - Centralize authentication where possible
- Monitor activity - Review audit logs regularly
- Set up alerts - Configure notifications for sensitive actions
Troubleshooting
Invitation Not Received
- Check spam/junk folder
- Verify email address is correct
- Resend invitation:
teactl member resend [email protected] - Check if email domain is blocked by organization policy
Cannot Access Resources
- Verify membership:
teactl member list - Check role permissions
- Ensure you’re in the correct organization context
- Contact an organization admin
SSO Login Issues
- Verify SSO configuration with your IT team
- Check that your email domain is configured
- Try clearing browser cookies and cache
- Contact organization admin to verify your account
See Also
- Organizations - Organization management
- API Keys - API key management
- Audit Logs - Activity tracking
- teactl member - CLI member commands