Skip to main content

How to manage users in Temporal Cloud

  • How to invite users to your Temporal Cloud Account
  • What are the available Account-level roles?
  • What are the Namespace-level permissions?

Invite users

caution

Access to Temporal Cloud is authorized via single sign-on (SSO), currently limited to Google OAuth. The email addresses of all users who need access to Temporal Cloud must be registered with Google.

If an email address is not associated with a Google Account, the user must follow the instructions in the Use an existing email address section of Create a Google Account.

Important: Do not create a Gmail account when creating a Google Account.

When you create a user in Temporal Cloud, the prospective user receives an email invitation. Before accepting the invitation, the user must be logged in to Google using the email address that received the invitation. The user must then click Accept Invite in the message. Attempting to log in to Temporal Cloud without first accepting the invite doesn't work.

Roles and permissions

Each user in Temporal Cloud is assigned a Role. Each user can be assigned permissions for individual Namespaces.

Invite users using Web UI

info

To invite users, a user must have the Global Admin account-level Role.

  1. In Temporal Web UI, click Settings in the lower-left portion of the window.
  2. On the Settings page, click Create Users in the upper-right portion of the window.
  3. On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
  4. In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
  5. If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
  6. When all permissions are assigned, click Send Invite.

Temporal sends an email message to each user. To join Temporal Cloud, a user must click Accept Invite in the message.

What are the account-level Roles for users in Temporal Cloud?

When a Global Admin invites a user to join an account, the Global Admin selects one of the following Roles for that user:

  • Global Admin
    • Has full administrative permissions across the account, including users and usage
    • Has Namespace Admin permissions on all Namespaces in the account
  • Developer
    • Can create and update Namespaces; has full control over Workflows
    • Has Namespace Admin permissions for each Namespace created by that user
  • Read-Only: Can only read information

What are the Namespace-level permissions for users in Temporal Cloud?

A Global Admin can assign permissions for any Namespace in an account. A Developer can assign permissions for a Namespace they create.

For a Namespace, a user can have one of the following permissions: