› › ›

Manage users and roles

In this article, learn how to:

Invite your team: Invite users in your organization to access serverless projects and specify their roles.
Assign user roles and privileges: Assign predefined roles to users in your organization.
Join an organization from an existing Elastic Cloud account: Join a new organization and bring over your projects.
Leave an organization: Leave an organization.

Invite your team

To allow other users to interact with your projects, you must invite them to join your organization and grant them access to your organization resources and instances.

Alternatively, configure Elastic Cloud SAML SSO to enable your organization members to join the Elastic Cloud organization automatically. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Go to the user icon on the header bar and select Organization.
On the Members page, click Invite members.
Enter the email addresses of the users you want to invite in the textbox.

To add multiple members, enter the member email addresses, separated by a space.

Grant access to all projects of the same type with a unique role, or select individual roles for specific projects. For more details about roles, refer to Assign user roles and privileges.
Click Send invites.

Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation before it expires. If the invite has expired, an admin can resend the invitation.

On the Members tab of the Organization page, view the list of current members, including status and role.

In the Actions column, click the three dots to edit a member’s role or revoke the invite.

Assign user roles and privileges

edit

Within an organization, users can have one or more roles and each role grants specific privileges.

You must assign user roles when you invite users to join your organization. To subsequently edit the roles assigned to a user:

Go to the user icon on the header bar and select Organization.
Find the user on the Members tab of the Organization page. Click the member name to view and edit its roles.

There are two types of roles you can assign to users:

Oranization-level roles: These roles apply to the entire organization and are not specific to any serverless project or hosted deployment.
Instance access roles: These roles are specific to each serverless project or hosted deployment.

Organization-level roles

edit

Organization owner. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization.
Billing admin. Has access to all invoices and payment methods. Can make subscription changes.

Instance access roles

edit

Each serverless project type has a set of predefined roles that you can assign to your organization members. To assign the predefined roles:

globally, for all projects of the same type (Elasticsearch Serverless, Observability, or Elastic Security). In this case, the role will also apply to new projects created later.
individually, for specific projects only. To do that, you have to set the Role for all field of that specific project type to None.

For example, assign a user the developer role for a specific Elasticsearch Serverless project:

You can optionally create custom roles in a project. To assign a custom role to users, go to "Instance access roles" and select it from the list under the specific project it was created in.

Name	Description	Available
Admin	Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.
Developer	Creates API keys, indices, data streams, adds connectors, and builds visualizations.
Viewer	Has read-only access to project details, data, and features.
Editor	Configures all Observability or Security projects. Has read-only access to data indices. Has full access to all project features.
Tier 1 analyst	Ideal for initial alert triage. General read access, can create dashboards and visualizations.
Tier 2 analyst	Ideal for alert triage and beginning the investigation process. Can create cases.
Tier 3 analyst	Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions.
Threat intelligence analyst	Access to alerts, investigation tools, and intelligence pages.
Rule author	Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives.
SOC manager	Access to alerts, cases, investigation tools, endpoint policy management, and response actions.
Endpoint operations analyst	Access to endpoint response actions. Can manage endpoint policies, Fleet, and integrations.
Platform engineer	Access to Fleet, integrations, endpoints, and detection content.
Detections admin	All available detection engine permissions to include creating rule actions, such as notifications to third-party systems.
Endpoint policy manager	Access to endpoint policy management and related artifacts. Can manage Fleet and integrations.

Leave an organization

edit

On the Organization page, click Leave organization.

If you’re the only user in the organization, you are able to leave only when you have deleted all projects and don’t have any pending bills.

Join an organization from an existing Elastic Cloud account

edit

If you already belong to an organization, and you want to join a new one you will need to leave your existing organzation.

If you want to join a new organization, follow these steps:

Make sure you do not have active projects or deployments before you leave your current organization.
Delete your projects and clear any bills.
Leave your current organization.
Ask the administrator to invite you to the organization you want to join.
Accept the invitation that you will get by email.

« Manage access Custom roles »