Loading

Manage users

You can invite users to join your organization to allow them to interact with all or specific Elastic Cloud resources and settings. After they're invited, you can manage the users in your organization.

Alternatively, configure Elastic Cloud SAML SSO to enable your organization members to join the Elastic Cloud organization automatically.

Agent skill available

A skill is available to help AI agents with this topic.

Learn more about agent skills for Elastic

Get the skill
Note

Users can only belong to one organization at a time. If a user that you want to invite already belongs to a different organization, that user first needs to leave their current organization, or to use a different email address. Check Join an organization from an existing Elastic Cloud account.

Tip

If you're using Elastic Cloud Hosted, then you can also manage users and control access at the deployment level.

  • Only Organization owners can invite new users to the organization.

  • To assign or modify roles for existing members, your permissions must cover the resources affected by the role assignment:

    • Organization owners can manage role assignments for all members in the organization.
    • Members with the Admin role can view and manage role assignments only for deployments or projects within their scope:
      • Admins scoped to all deployments and projects can manage assignments across all resources.
      • Admins scoped to specific deployments or projects can manage assignments only for those resources.

For more information about role scopes and permissions, refer to User roles and privileges.

To invite users to your organization:

  1. Log in to Elastic Cloud.

  2. From the navigation menu, select Organization > Members.

  3. On the Members page, click Invite members.

  4. Enter the email addresses of the users you want to invite in the email field.

    To add multiple members, enter the member email addresses, separated by a space.

  5. If desired, assign roles to the users so that they automatically get the appropriate permissions when they accept the invitation and sign in to Elastic Cloud.

    You can grant access to Elastic Cloud Hosted deployments, Elastic Cloud Serverless projects, or connected clusters, either to all resources or scoped to specific ones. For more details, refer to User roles and privileges.

  6. Click Send invites.

    Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation before it expires. If the invite has expired, an admin can resend the invitation.

On the Members tab of the Organization page, you can view the list of current members, including status and role.

In the Actions column, click the three dots to edit a member’s role, or revoke an invite, or remove a member from your organization.

You can also manage members of your organization using the Elastic Cloud API.

Get information about your organization

Get information about your Elastic Cloud organization.

curl -XGET \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations"
Invite members to your organization

Invite members to your Elastic Cloud organization.

curl -XPOST \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations" \
-d '
{
  "emails": [
    "test@test.com"
  ]
}'
  1. One or more email addresses to invite to the organization

When creating an invitation, you can define the user's roles and grant access to resources in the API request body:

curl -XPOST \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations" \
-d '
{
  "emails": [
    "test@test.com"
  ],
  "role_assignments": {
    "deployment": [
      {
        "role_id": "deployment-admin",
        "organization_id": "ORG_ID_PLACEHOLDER",
        "all": true
      }
    ],
    "project": {
      "elasticsearch": [
        {
          "role_id": "elasticsearch-viewer",
          "organization_id": "ORG_ID_PLACEHOLDER",
          "all": false,
          "project_ids": [
            "ES_PROJECT_ID_PLACEHOLDER"
          ],
          "application_roles": [
            "logs_viewer"
          ]
        }
      ],
      "observability": [
        {
          "role_id": "observability-editor",
          "organization_id": "ORG_ID_PLACEHOLDER",
          "all": false,
          "project_ids": [
            "OBS_PROJECT_ID_PLACEHOLDER"
          ],
          "application_roles": [
          ]
        }
      ]
    }
  }
}'
  1. When granting a custom serverless role, you need to grant the relevant viewer role ID for the project type.
  2. Custom roles for the user in this Serverless project.
  3. Pass an empty application_roles array to only grant the user Elastic Cloud Console access to the relevant resources. Learn more about access options.
View pending invitations to your organization

View pending invitations to your Elastic Cloud organization.

curl -XGET \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations"
View members in your organization

View members in your Elastic Cloud organization.

curl -XGET \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members"
Remove members from your organization

Remove members from your Elastic Cloud organization.

curl -XDELETE \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members/$USER_IDS"

USER_IDS One or more comma-delimited user ids to remove from the organization