diff --git a/docs/best-practices/managing-namespace.mdx b/docs/best-practices/managing-namespace.mdx
index 6e68b33671..e98116b903 100644
--- a/docs/best-practices/managing-namespace.mdx
+++ b/docs/best-practices/managing-namespace.mdx
@@ -106,7 +106,7 @@ Use a custom [Authorizer](/self-hosted-guide/security#authorizer-plugin) on your
If an Authorizer is not set, Temporal uses the `nopAuthority` authorizer that unconditionally allows all API calls.
-On Temporal Cloud, [role-based access controls](/cloud/users#namespace-level-permissions) provide namespace-level authorization without custom configuration.
+On Temporal Cloud, [role-based access controls](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) provide namespace-level authorization without custom configuration.
### Enable deletion protection (Temporal Cloud only) {#deletion-protection}
diff --git a/docs/cloud/connectivity/index.mdx b/docs/cloud/connectivity/index.mdx
index aa6dab5689..bf4e1ab791 100644
--- a/docs/cloud/connectivity/index.mdx
+++ b/docs/cloud/connectivity/index.mdx
@@ -97,7 +97,7 @@ Connectivity rules can be created and managed with [tcld](https://docs.temporal.
### Permissions and limits
-Only [Account Admins and Account Owners](/cloud/users#account-level-roles) can create and manage connectivity rules. Connectivity rules are visible to Account Developers, Account Admins, and Account Owners.
+Only [Account Admins and Account Owners](/cloud/manage-access/roles-and-permissions#account-level-roles) can create and manage connectivity rules. Connectivity rules are visible to Account Developers, Account Admins, and Account Owners.
By default each namespace is limited to 5 private connectivity rules, and each account is limited to 50 private connectivity rules. You can [contact support](/cloud/support#support-ticket) to request a higher limit.
diff --git a/docs/cloud/get-started/certificates.mdx b/docs/cloud/get-started/certificates.mdx
index dce0cb246a..fa32fcd2f9 100644
--- a/docs/cloud/get-started/certificates.mdx
+++ b/docs/cloud/get-started/certificates.mdx
@@ -324,7 +324,7 @@ stricter controls, such as:
:::note
-To manage certificates for a Namespace, a user must have [Namespace Admin](/cloud/users#namespace-level-permissions)
+To manage certificates for a Namespace, a user must have [Namespace Admin](/cloud/manage-access/roles-and-permissions#namespace-level-permissions)
permission for that Namespace.
:::
diff --git a/docs/cloud/get-started/index.mdx b/docs/cloud/get-started/index.mdx
index 382983e2c3..975ddbb1be 100644
--- a/docs/cloud/get-started/index.mdx
+++ b/docs/cloud/get-started/index.mdx
@@ -79,4 +79,4 @@ See [Managing users](/cloud/users) to add other users and assign them roles.
You can also use [Service Accounts](/cloud/service-accounts) to represent machine identities.
Since you created the account when you signed up, your email address is the first
-[Account Owner](/cloud/users#account-level-roles) for your account.
+[Account Owner](/cloud/manage-access/roles-and-permissions#account-level-roles) for your account.
diff --git a/docs/cloud/get-started/namespaces.mdx b/docs/cloud/get-started/namespaces.mdx
index 537aabec9a..ba685cf538 100644
--- a/docs/cloud/get-started/namespaces.mdx
+++ b/docs/cloud/get-started/namespaces.mdx
@@ -168,10 +168,10 @@ different gRPC endpoint types and how to access them.
:::info
The user who creates a [Namespace](/namespaces) is automatically granted
-[Namespace Admin](/cloud/users#namespace-level-permissions) permission for that Namespace.
+[Namespace Admin](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) permission for that Namespace.
To create a Namespace, a user must have the Developer, Account Owner, or Global Admin account-level
-[Role](/cloud/users#account-level-roles).
+[Role](/cloud/manage-access/roles-and-permissions#account-level-roles).
:::
@@ -196,7 +196,7 @@ To create a Namespace in Temporal Cloud, gather the following information:
- [Codec Server endpoint](/production-deployment/data-encryption#set-your-codec-server-endpoints-with-web-ui-and-cli) to
show decoded payloads to users in the Event History for Workflow Executions in the Namespace. For details, see
[Securing your data](/production-deployment/data-encryption).
-- [Permissions](/cloud/users#namespace-level-permissions) for each user.
+- [Permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for each user.
@@ -393,7 +393,7 @@ On the **Edit** page, you can do the following:
[Codec Server endpoint](/production-deployment/data-encryption#set-your-codec-server-endpoints-with-web-ui-and-cli)
for all users on the Namespace. Each user on the Namespace has the option to
[override this setting](/production-deployment/data-encryption#web-ui) in their browser.
-- Manage [Namespace-level permissions](/cloud/users#namespace-level-permissions).
+- Manage [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions).
- Add users.
To add a user to a Namespace, scroll to the bottom of the page and select **Add User**.
@@ -420,7 +420,7 @@ commands. For more information, see
:::info
-To delete a Namespace, a user must have Namespace Admin [permission](/cloud/users#namespace-level-permissions) for that
+To delete a Namespace, a user must have Namespace Admin [permission](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for that
Namespace.
:::
@@ -493,7 +493,7 @@ track, and manage namespaces more easily.
### Permissions
-- Only [**Account Admins** and **Account Owners**](/cloud/users#account-level-roles) can create and edit tags
+- Only [**Account Admins** and **Account Owners**](/cloud/manage-access/roles-and-permissions#account-level-roles) can create and edit tags
- All users with access to a namespace can view its tags
### tcld
diff --git a/docs/cloud/get-started/service-accounts.mdx b/docs/cloud/get-started/service-accounts.mdx
index 480d52d8a2..96d1b4b0a3 100644
--- a/docs/cloud/get-started/service-accounts.mdx
+++ b/docs/cloud/get-started/service-accounts.mdx
@@ -19,11 +19,11 @@ tags:
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
-Temporal Cloud provides Account Owner and Global Admin [roles](/cloud/users#account-level-roles) with the option to create machine identities named Service Accounts.
+Temporal Cloud provides Account Owner and Global Admin [roles](/cloud/manage-access/roles-and-permissions#account-level-roles) with the option to create machine identities named Service Accounts.
Service Accounts are a type of identity in Temporal Cloud.
Temporal Cloud supports User identities as a representation of a human user who uses Temporal Cloud.
-Service Accounts afford Temporal Cloud Account Owner and Global Admin [roles](/cloud/users#account-level-roles) the ability to create an identity for machine authentication, an identity not associated with a human user.
+Service Accounts afford Temporal Cloud Account Owner and Global Admin [roles](/cloud/manage-access/roles-and-permissions#account-level-roles) the ability to create an identity for machine authentication, an identity not associated with a human user.
With the addition of Service Accounts, Temporal Cloud now supports 2 identity types:
@@ -41,17 +41,17 @@ Namespace Admins can now manage and create [Namespace-scoped Service Accounts](/
## Manage Service Accounts
-Account Owner and Global Admin [roles](/cloud/users#account-level-roles) can manage Service Accounts by creating, viewing, updating, deleting Service Accounts using the following tools:
+Account Owner and Global Admin [roles](/cloud/manage-access/roles-and-permissions#account-level-roles) can manage Service Accounts by creating, viewing, updating, deleting Service Accounts using the following tools:
- Temporal Cloud UI
- Temporal Cloud CLI (tcld)
- Use `tcld service-account --help` for a list of all service-account commands
-Account Owner and Global Admin [roles](/cloud/users#account-level-roles) also have the ability to manage API Keys for Service Accounts.
+Account Owner and Global Admin [roles](/cloud/manage-access/roles-and-permissions#account-level-roles) also have the ability to manage API Keys for Service Accounts.
### Prerequisites
-- A Cloud user account with Account Owner or Global Admin [role](/cloud/users#account-level-roles) permissions
+- A Cloud user account with Account Owner or Global Admin [role](/cloud/manage-access/roles-and-permissions#account-level-roles) permissions
- Access to the Temporal Cloud UI or Temporal Cloud CLI (tcld)
- Enable access to API Keys for your Account
- To manage Service Accounts using the Temporal Cloud CLI (tcld), upgrade to the latest version of tcld (v0.18.0 or higher) using `brew upgrade tcld`.
diff --git a/docs/cloud/get-started/user-groups.mdx b/docs/cloud/get-started/user-groups.mdx
index b76b618a99..eed09f443c 100644
--- a/docs/cloud/get-started/user-groups.mdx
+++ b/docs/cloud/get-started/user-groups.mdx
@@ -27,13 +27,13 @@ eases the toil of managing individual user permissions and can simplify access m
a new role is needed, it can be added to the group once and all users' access will reflect the
new role.
-User groups can be assigned both [account-level roles](/cloud/users#account-level-roles) and [namespace-level permissions](/cloud/users#namespace-level-permissions).
+User groups can be assigned both [account-level roles](/cloud/manage-access/roles-and-permissions#account-level-roles) and [namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions).
One user can be assigned to many groups. In the event that a user's group memberships have multiple roles for the same resource, the user will have an effective role of the most permissive of the permissions. For example if `Group A` grants a read-only role to a namespace, but `Group B` grants a write role to a namespace then a user that belongs to both `Group A` and `Group B` would have the write role to the namespace.
[Service accounts](/cloud/service-accounts) cannot be assigned to user groups.
-Only users with the Account Owner or Global Admin account-level [role](/cloud/users#account-level-roles) can manage user groups.
+Only users with the Account Owner or Global Admin account-level [role](/cloud/manage-access/roles-and-permissions#account-level-roles) can manage user groups.
## How SCIM groups work with user groups {#scim-groups}
@@ -49,7 +49,7 @@ Using user group and SCIM groups together can be useful when the groups defined
:::info
-All user group administration requires an Account Owner or Global Admin account-level [role](/cloud/users#account-level-roles).
+All user group administration requires an Account Owner or Global Admin account-level [role](/cloud/manage-access/roles-and-permissions#account-level-roles).
:::
diff --git a/docs/cloud/get-started/user-invite.mdx b/docs/cloud/get-started/user-invite.mdx
index 375a837cfd..3bf55f45be 100644
--- a/docs/cloud/get-started/user-invite.mdx
+++ b/docs/cloud/get-started/user-invite.mdx
@@ -20,37 +20,6 @@ tags:
- Users
---
-:::caution
-Access to Temporal Cloud can be authorized through email and password, Google single sign-on, Microsoft single sign-on, or SAML, depending on your setup.
-
-If you are using Google OAuth for single sign-on and an email address is not associated with a Google Account, the user must follow the instructions in the [Use an existing email address](https://support.google.com/accounts/answer/27441?hl=en#existingemail) section of [Create a Google Account](https://support.google.com/accounts/answer/27441).
-
-**Important:** Do _not_ create a Gmail account when creating a Google Account.
-
-If your organization uses Google Workspace or Microsoft Entra ID, and your IT administrator has enabled controls over single sign-on permissions, then you will need to work with your IT administrator to allow logins to Temporal Cloud.
-
-:::
-
-When a user is created in Temporal Cloud, they receive an invitation email with a link.
-They must use this link to finalize their setup and access Temporal Cloud.
-Accounts with SAML configurations can ignore this email.
-However, those using Google/Microsoft SSO or email and password authentication need to accept the invitation link for their initial login to Temporal Cloud.
-For future logins, they must use the same authentication method they originally signed up with.
-
-:::info
-
-To invite users, a user must have the Global Admin or Account Owner account-level [role](/cloud/users#account-level-roles).
-
-:::
-
-### Roles and permissions
-
-Each user in Temporal Cloud is assigned a role.
-Each user can be assigned permissions for individual Namespaces.
-
-- [Account-level roles](/cloud/users#account-level-roles)
-- [Namespace-level permissions](/cloud/users#namespace-level-permissions)
-
@@ -60,89 +29,76 @@ To invite users using the Temporal Cloud UI:
1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page, select **Create Users** in the upper-right portion of the window.
1. On the **Create Users** page in the **Email Addresses** box, type or paste one or more email addresses.
-1. In **Account-Level Role**, select a [Role](/cloud/users#account-level-roles).
- The Role applies to all users whose email addresses appear in **Email Addresses**.
-1. If the account has any Namespaces, they are listed under **Grant access to Namespaces**.
- To add a permission, select the checkbox next to a Namespace, and then select a [permission](/cloud/users#namespace-level-permissions).
- Repeat as needed.
+1. In **Account-Level Role**, select a [Role](/cloud/manage-access/roles-and-permissions#account-level-roles). The Role
+ applies to all users whose email addresses appear in **Email Addresses**.
+1. If the account has any Namespaces, they are listed under **Grant access to Namespaces**. To add a permission, select
+ the checkbox next to a Namespace, and then select a
+ [permission](/cloud/manage-access/roles-and-permissions#namespace-level-permissions). Repeat as needed.
1. When all permissions are assigned, select **Send Invite**.
-Temporal sends an email message to each user.
-To join Temporal Cloud, a user must select **Accept Invite** in the message.
-
-To invite users using tcld, see the [tcld user invite](/cloud/tcld/user/#invite) command.
+Use the [`tcld user invite`](/cloud/tcld/user/#invite) command. Specify the user's email, an account-level role, and
+optionally one or more Namespace permissions.
-Temporal sends an email message to the specified user.
-To join Temporal Cloud, the user must select **Accept Invite** in the message.
+Available account roles: `admin` | `developer` | `read`.
-
+Available Namespace permissions: `Admin` | `Write` | `Read`.
-
+```command
+tcld user invite \
+ --user-email \
+ --account-role \
+ --namespace-permission =
+```
-You can invite users pragmatically using the Cloud Ops API.
+You can invite multiple users and assign multiple Namespace permissions in a single request:
-1. Create a connection to your Temporal Service using the Cloud Operations API.
-2. Use the [CreateUser service](https://github.com/temporalio/api-cloud/blob/main/temporal/api/cloud/cloudservice/v1/service.proto) to create a user.
+```command
+tcld user invite \
+ --user-email user1@example.com \
+ --user-email user2@example.com \
+ --account-role developer \
+ --namespace-permission ns1=Admin \
+ --namespace-permission ns2=Write
+```
-
-
-### Frequently Asked Questions
-
-#### Can multiple Temporal Cloud accounts share the same email domain?
-
-Yes. Multiple Temporal Cloud accounts can coexist with users from the same email domain.
-Each account has its own independent SAML configuration, tied to its unique Account ID.
-We recommend configuring [SAML](/cloud/saml) for each account independently.
-
-For a smoother login experience, you can configure SAML for each account separately and use IdP-initiated login: you click the relevant app tile in your identity provider's portal to access the Temporal Cloud account associated with your email address directly.
-
-#### Can the same email be used across different Temporal Cloud accounts?
-
-No — each email address can only be associated with a single Temporal Cloud account.
-If you need access to multiple accounts, you’ll need a separate invite for each one using a different email address.
-
-#### Can I use Google or Microsoft SSO after signing up with email and password?
-
-If you originally signed up for Temporal Cloud using an email and password, you won’t be able to log in using Google or Microsoft single sign-on.
-
-If you prefer SSO, ask your Account Owner to delete your current user and send you a new invitation.
-During re-invitation, be sure to sign up using your preferred authentication method.
+
-#### How do I complete the `Secure Your Account` step?
+Use the [CreateUser](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to invite a user.
-If you signed up to Temporal Cloud using an email and password, you're required to set up multi-factor authentication (MFA) for added security.
-Currently, only authenticator apps are supported as an additional factor (such as Google Authenticator, Microsoft Authenticator, and Authy).
+```
+POST /cloud/users
+```
-To proceed:
+The request body includes a `spec` with the following fields:
-1. Download a supported authenticator app on your mobile device.
-2. Scan the QR code shown on the **Secure Your Account** screen.
-3. Enter the verification code from your app to complete MFA setup.
-4. Securely store your recovery code.
- This code allows you to access your account if you lose access to your authenticator app.
+- `spec.email` — The email address of the user to invite.
+- `spec.access.account_access.role` — The account-level role to assign.
+- `spec.access.namespace_accesses` — A map of Namespace names to permissions.
-Once MFA is configured, you’ll be able to continue using Temporal Cloud.
+Available roles: `ROLE_ADMIN` | `ROLE_DEVELOPER` | `ROLE_READ` | `ROLE_OWNER` | `ROLE_FINANCE_ADMIN`.
-#### What if I lose access to my authenticator app?
+Available Namespace permissions: `PERMISSION_ADMIN` | `PERMISSION_WRITE` | `PERMISSION_READ`.
-If you lose access to your authenticator app, you can still log in by clicking **Try another method** on the MFA screen.
-From there, you can either:
+
-- Enter your recovery code (provided when you first set up MFA)
-- Receive a verification code through email
+
-Once you're logged in, you can reset your authenticator app by navigating to **My Profile** > **Password and Authentication** and then clicking **Authenticator App** > **Remove method**.
+The new users receive an email with a link to accept the invitation and complete their setup. The new user must use this
+link to sign up to be added to your account unless the account has a SAML configuration. If your account has a SAML
+configuration, the new user can sign in using their existing SAML credentials and be included in the account
+automatically.
-#### How do I reset my password?
+:::caution
-If you're currently logged in and would like to change your password, click your profile icon at the top right of the Temporal Cloud UI,
-navigate to **My Profile** > **Password and Authentication**, and then click **Reset Password**.
+The new user must use the same authentication method they originally signed up with to sign in to Temporal Cloud. If
+they used single sign-on (SSO), they must use the same SSO provider to sign in to Temporal Cloud. If they used email and
+password authentication, they must use the same email and password to sign in to Temporal Cloud, and cannot use SSO,
+even if the underlying email address is the same.
-If you're not currently logged in, navigate to the login page of the Temporal Cloud UI, enter your email address, click **Continue**, and then select **Forgot password**.
-In both cases, you will receive an email with instructions on how to reset your password.
+:::
diff --git a/docs/cloud/get-started/users.mdx b/docs/cloud/get-started/users.mdx
index cc7a0e4861..b0ab4a8b22 100644
--- a/docs/cloud/get-started/users.mdx
+++ b/docs/cloud/get-started/users.mdx
@@ -2,7 +2,9 @@
id: users
title: Manage users
sidebar_label: Manage users
-description: Learn how to manage user invitations, account-level roles, and Namespace-level permissions in Temporal Cloud. Invite users, update roles, and delete users seamlessly using the Temporal Web UI, tcld, or the Cloud Ops API.
+description:
+ Manage user invitations, account-level roles, and Namespace-level permissions in Temporal Cloud. Invite users, update
+ roles, and delete users seamlessly using the Temporal Web UI, tcld, or the Cloud Ops API.
slug: /cloud/users
toc_max_heading_level: 4
keywords:
@@ -20,139 +22,104 @@ tags:
- Users
---
-- [How to invite users to your Temporal Cloud account](#invite-users)
-- [What are the account-level roles?](#account-level-roles)
-- [What are the Namespace-level permissions?](#namespace-level-permissions)
-- [How to update an account-level Role in Temporal Cloud](#update-roles)
-- [How to update Namespace-level permissions in Temporal Cloud](#update-permissions)
-- [How to delete a user from your Temporal Cloud account](#delete-users)
-- [How to troubleshoot account access issues](#troubleshoot-access)
+Users are one of the primary access principals in Temporal Cloud. Each user is assigned one
+[account-level role](/cloud/manage-access/roles-and-permissions#account-level-roles), and each role has a set of
+permissions. In addition to account-level roles, users can also be assigned
+[Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for specific
+Namespaces. Each user can only perform an action if they have a role that grants them the necessary permissions.
-## How to invite users to your Temporal Cloud account {#invite-users}
+When you register for Temporal Cloud without joining an existing account, you are assigned the Account Owner role for a
+new account. You can then invite other users to join the account and assign them roles.
-import InvitationContent from '@site/docs/cloud/get-started/user-invite.mdx'
+## Invite users to your Temporal Cloud account {#invite-users}
+
+import InvitationContent from '@site/docs/cloud/get-started/user-invite.mdx';
-## What are the account-level roles for users in Temporal Cloud? {#account-level-roles}
+Global Admin roles cannot assign the Account Owner role or the Finance Admin role to new users they invite to the
+account.
-When an Account Owner or Global Admin invites a user to join an account, they select one of the following roles for that user:
+## Update a user's account-level role {#update-roles}
-- **Global Admin**
- - Has full administrative permissions across the account, including users and usage
- - Can create and manage [Namespaces](/namespaces) and [Nexus Endpoints](/nexus/endpoints)
- - Has Namespace Admin [permissions](#namespace-level-permissions) on all Namespaces in the account.
- This permission cannot be revoked
-- **Developer**
- - Can create Namespaces
- - Is granted [Namespace Admin](/cloud/users#namespace-level-permissions) permission for each Namespace they create.
- This permission can be revoked
- - Can create and manage Nexus Endpoints where they are a [Namespace Admin](/cloud/users#namespace-level-permissions) on the Endpoint's target Namespace
-- **Read-Only**
- - Can read information
- - Can be granted Namespace [permissions](#namespace-level-permissions), for example to read or write Workflow state in a given Namespace
- - Can view all Nexus Endpoints in the account, which have separate [runtime access controls](/nexus/security#runtime-access-controls)
+With Global Admin or Account Owner privileges, you can update any user's account-level
+[role](/cloud/manage-access/roles-and-permissions#account-level-roles). The Account Owner role can only be granted by
+existing Account Owners.
-In addition, there are two roles that the Global Admin cannot assign:
+For security reasons, you cannot remove the Account Owner role from a user. Removing the Account Owner role must be made
+through Temporal Support. To remove the Account Owner role, you must submit a
+[support ticket](https://temporalsupport.zendesk.com/).
-- **Account Owner**
- - Has full administrative permissions across the account, including users, usage and [billing](/cloud/billing-and-cost)
- - Can create and manage Namespaces and Nexus Endpoints
- - Has Namespace Admin [permissions](#namespace-level-permissions) on all [Namespaces](/namespaces) in the account.
- This permission cannot be revoked
-- **Finance Admin**
- - Has permissions to view [billing](/cloud/billing-and-cost) information and update payment information
- - Otherwise, has the same permissions as Account Read-only users
- - Can be assigned to Service Accounts by a Global Admin, but otherwise can only be assigned by an Account Owner
+
-:::note Default Role
+
-When the account is created, the initial user who logs in is automatically assigned the Account Owner role.
-If your account does not have an Account Owner, please reach out to [Support](https://temporalsupport.zendesk.com/) to assign the appropriate individual to this role.
+1. In Temporal Web UI, select **Settings** in the left portion of the window.
+1. On the **Settings** page, select the user.
+1. On the user profile page, select **Edit User**.
+1. On the **Edit User** page in **Account Level Role**, select the role.
+1. Select **Save**.
-:::
+
-## Using the Account Owner role
+
-The Account Owner role (i.e., users with the Account Owner system role) holds the highest level of access in the system.
-This role configures account-level parameters and manages Temporal billing and payment information.
-It allows users to perform all actions within the Temporal Cloud account.
+Use the [`tcld user set-account-role`](/cloud/tcld/user/#set-account-role) command. Specify the user by email or ID and
+the new role.
-:::tip Best Practices
+Available account roles: `admin` | `developer` | `read`. The Account Owner and Finance Admin roles cannot be assigned
+through tcld; use the Web UI or Cloud Ops API to assign these roles.
-Temporal strongly recommends the following precautions when assigning the Account Owner role to users:
+```command
+tcld user set-account-role --user-email --account-role
+```
-- Assign the role to at least two users in your organization.
- Otherwise, limit the number of users with this role.
-- Associate a person’s direct email address to the Account Owner, rather than a shared or generic address, so Temporal Support can contact the right person in urgent situations.
+You can also identify the user by ID:
-This latter rule is useful for anyone on your team who may need to be contacted urgently, regardless of their Account role.
+```command
+tcld user set-account-role --user-id --account-role
+```
-:::
+
-## What are the Namespace-level permissions for users in Temporal Cloud? {#namespace-level-permissions}
+
-An Account Owner or Global Admin can assign permissions for any [Namespace](/namespaces) in an account.
-A Developer can assign permissions for a Namespace they create.
+Use the [UpdateUser](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to update a user's account-level
+role.
-For a Namespace, a user can have one of the following permissions:
+```
+POST /cloud/users/{userId}
+```
-- **Namespace Admin:**
- - Can [manage the Namespace](/cloud/namespaces#manage-namespaces) including identities and permissions
- - Can create, rename, update, and delete [Workflows](/workflows) within the Namespace
-- **Write:**
- - Can create, rename, update, and delete [Workflows](/workflows) within the Namespace
-- **Read-Only:**
- - Can only read information from the Namespace
+The request body includes a `spec` with the user's `access.account_access.role` field set to the desired role.
-## How to update an account-level role in Temporal Cloud {#update-roles}
+Available roles: `ROLE_OWNER` | `ROLE_ADMIN` | `ROLE_DEVELOPER` | `ROLE_FINANCE_ADMIN` | `ROLE_READ`.
-With Global Admin or Account Owner privileges, you can update any user's account-level [role](#account-level-roles) using either the Web UI or the tcld CLI utility.
-The Account Owner role can only be granted by existing Account Owners.
+
-For security reasons, changes to the Account Owner role must be made through Temporal Support.
-To change or delete an Account Owner, you must submit a [support ticket](https://temporalsupport.zendesk.com/).
+
-{/* How to update an account-level role in Temporal Cloud using Web UI */}
+## Update a user's Namespace-level permissions {#update-permissions}
-### How to update an account-level role using Web UI
+With Account Owner, Global Admin, or Namespace Admin privileges, you can update
+[Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for users within
+Namespaces you administer. Account Owners and Global Admins have Namespace Admin permissions on all Namespaces
+automatically.
-1. In Temporal Web UI, select **Settings** in the left portion of the window.
-1. On the **Settings** page, select the user.
-1. On the user profile page, select **Edit User**.
-1. On the **Edit User** page in **Account Level Role**, select the role.
-1. Select **Save**.
+
-{/* How to update an account-level role in Temporal Cloud using tcld */}
+
-### How to update an account-level role using tcld
-
-For details, see the [tcld user set-account-role](/cloud/tcld/user/#set-account-role) command.
-
-## How to update Namespace-level permissions in Temporal Cloud {#update-permissions}
-
-You can update Namespace-level [permissions](#namespace-level-permissions) by using either Web UI or tcld.
-
-{/* How to update Namespace-level permissions for a Namespace in Temporal Cloud using Web UI */}
-
-### How to use the Web UI to update a user's permissions across multiple Namespaces
+**Update a user's permissions across multiple Namespaces:**
1. In Temporal Web UI, select **Namespaces** in the left portion of the window.
1. On the **Namespaces** page, select the Namespace.
-1. If necessary, scroll down to the list of permissions
+1. If necessary, scroll down to the list of permissions.
1. On the user profile page in **Namespace permissions**, select the Namespace.
1. On the Namespace page in **Account Level Role**, select the role.
1. Select **Save**.
-{/* How to update Namespace-level permissions for a user in Temporal Cloud using Web UI */}
-
-### How to use the Web UI to update permissions for multiple users within a single Namespace
-
-:::note
-
-A user with the Account Owner or Global Admin account-level [role](#account-level-roles) has Namespace Admin permissions for all Namespaces.
-
-:::
+**Update permissions for multiple users within a single Namespace:**
1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page in the **Users** tab, select the user.
@@ -160,234 +127,92 @@ A user with the Account Owner or Global Admin account-level [role](#account-leve
1. On the **Edit User** page in **Namespace permissions**, change the permissions for one or more Namespaces.
1. Select **Save**.
-{/* How to update an account-level role in Temporal Cloud using tcld */}
+
+
+
-### How to use tcld to update Namespace-level permissions
+Use the [`tcld user set-namespace-permissions`](/cloud/tcld/user/#set-namespace-permissions) command. Specify the user
+by email or ID and one or more Namespace permissions.
-For details, see the [tcld user set-namespace-permissions](/cloud/tcld/user/#set-namespace-permissions) command.
+Each permission value must be in the format `namespace=permission-type`.
-## How to delete a user from your Temporal Cloud account {#delete-users}
+Available Namespace permissions: `Admin` | `Write` | `Read`.
-You can delete a user from your Temporal Cloud Account by using either Web UI or tcld.
+```command
+tcld user set-namespace-permissions --user-email --namespace-permission =
+```
-:::info
+You can set multiple Namespace permissions in a single request:
-To delete a user, a user must have the Account Owner or Global Admin account-level [role](#account-level-roles).
+```command
+tcld user set-namespace-permissions --user-email \
+ --namespace-permission ns1=Admin \
+ --namespace-permission ns2=Write
+```
-:::
+
-{/* How to delete a user from your Temporal Cloud account using Web UI */}
+
-### How to update an account-level role using Web UI
+Use the [SetUserNamespaceAccess](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to set a user's
+permission for a specific Namespace.
+
+```
+POST /cloud/namespaces/{namespace}/users/{userId}/access
+```
+
+Set the `access.permission` field to the desired permission.
+
+Available permissions: `PERMISSION_ADMIN` | `PERMISSION_WRITE` | `PERMISSION_READ`.
+
+
+
+
+
+## Delete a user from your Temporal Cloud account {#delete-users}
+
+With Account Owner or Global Admin privileges, you can delete a user from your Temporal Cloud account.
+
+
+
+
1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page, find the user and, on the right end of the row, select **Delete**.
1. In the **Delete User** dialog, select **Delete**.
-You can delete a user in two other ways in Web UI:
+You can also delete a user in two other ways in Web UI:
- User profile page: Select the down arrow next to **Edit User** and then select **Delete**.
- **Edit User** page: Select **Delete User**.
-{/* How to delete a user from your Temporal Cloud account using tcld */}
-
-### How to update an account-level role using tcld
-
-For details, see the [tcld user delete](/cloud/tcld/user/#delete) command.
-
-## Account-level roles and Namespace-level permissions {#account-level-roles-and-namespace-level-permissions}
-
-Temporal account-level roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs.
-The following table provides the API details associated with each account-level role and Namespace-level permission.
-
-#### Account-level role details
-
-This table provides API-level details for the permissions granted to a user through account-level roles. These permissions are configured per user.
-
-| Permission | Read-only | Developer | Finance Admin | Global Admin | Account Owner |
-| --------------------------------- | --------- | --------- | ------------- | ------------ | ------------- |
-| CountIdentities | ✔ | ✔ | ✔ | ✔ | ✔ |
-| CreateAccountAuditLogSink | | | | ✔ | ✔ |
-| CreateAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
-| CreateNamespace | | ✔ | | ✔ | ✔ |
-| CreateNexusEndpoint | | ✔ | | ✔ | ✔ |
-| CreateServiceAccount | | | | ✔ | ✔ |
-| CreateServiceAccountAPIKey | | | | ✔ | ✔ |
-| CreateStripeCustomerPortalSession | | | ✔ | | ✔ |
-| CreateUser | | | | ✔ | ✔ |
-| DeleteAccountAuditLogSink | | | | ✔ | ✔ |
-| DeleteAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
-| DeleteNexusEndpoint | | ✔ | | ✔ | ✔ |
-| DeleteServiceAccount | | | | ✔ | ✔ |
-| DeleteUser | | | | ✔ | ✔ |
-| GetAccount | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAccountAuditLogSink | | | | ✔ | ✔ |
-| GetAccountAuditLogSinks | | | | ✔ | ✔ |
-| GetAccountFeatureFlags | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAccountLimits | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAccountSettings | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAccountUsage | | | | ✔ | ✔ |
-| GetAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAPIKeys | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAsyncOperation | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetAuditLogs | | | | ✔ | ✔ |
-| GetDecodedCertificate | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetIdentities | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetIdentity | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetNamespaces | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetNamespacesUsage | | | | ✔ | ✔ |
-| GetNexusEndpoint | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetNexusEndpoints | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRegion | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRegions | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRequestStatus | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRequestStatuses | | | | ✔ | ✔ |
-| GetRequestStatusesForNamespace | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRequestStatusesForUser | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRoles | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetRolesByPermissions | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetServiceAccount | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetServiceAccounts | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetStripeInvoice | | | ✔ | | ✔ |
-| GetUser | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetUsers | ✔ | ✔ | ✔ | ✔ | ✔ |
-| GetUsersWithAccountRoles | ✔ | ✔ | ✔ | ✔ | ✔ |
-| InviteUsers | | | | ✔ | ✔ |
-| ListCreditLedgerEntries | | | ✔ | | ✔ |
-| ListGrants | | | ✔ | | ✔ |
-| ListMetronomeInvoices | | | ✔ | | ✔ |
-| ListMetronomeInvoicesForNamespace | | | ✔ | | ✔ |
-| ListNamespaces | ✔ | ✔ | ✔ | ✔ | ✔ |
-| ListPromotionGrantBalances | | | ✔ | | ✔ |
-| ResendUserInvite | | | | ✔ | ✔ |
-| SetAccountSettings | | | | ✔ | ✔ |
-| SyncCurrentUserInvite | ✔ | ✔ | ✔ | ✔ | ✔ |
-| UpdateAccount | | | | ✔ | ✔ |
-| UpdateAccountAuditLogSink | | | | ✔ | ✔ |
-| UpdateAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
-| UpdateNexusEndpoint | | ✔ | | ✔ | ✔ |
-| UpdateServiceAccount | | | | ✔ | ✔ |
-| UpdateUser | | | | ✔ | ✔ |
-| ValidateAccountAuditLogSink | | | | ✔ | ✔ |
-
-#### Namespace-level permissions details
-
-This table provides API-level details for the permissions granted to a user through Namespace-level permissions.
-These permissions are configured per Namespace per user.
-
-:::note
-
-Account Owners and Global Admins inherit Namespace Admin permissions on all Namespaces.
-
-:::
-
-| Permission | Read | Write | Namespace Admin |
-| ---------------------------------- | ---- | ----- | --------------- |
-| CountWorkflowExecutions | ✔ | ✔ | ✔ |
-| CreateExportSink | | | ✔ |
-| CreateSchedule | | ✔ | ✔ |
-| DeleteExportSink | | | ✔ |
-| DeleteNamespace | | | ✔ |
-| DeleteSchedule | | ✔ | ✔ |
-| DescribeBatchOperation | ✔ | ✔ | ✔ |
-| DescribeNamespace | ✔ | ✔ | ✔ |
-| DescribeSchedule | ✔ | ✔ | ✔ |
-| DescribeTaskQueue | ✔ | ✔ | ✔ |
-| DescribeWorkflowExecution | ✔ | ✔ | ✔ |
-| FailoverNamespace | | | ✔ |
-| GetExportSink | ✔ | ✔ | ✔ |
-| GetExportSinks | ✔ | ✔ | ✔ |
-| GetNamespace | ✔ | ✔ | ✔ |
-| GetNamespaceUsage | ✔ | ✔ | ✔ |
-| GetReplicationStatus | ✔ | ✔ | ✔ |
-| GetSearchAttributes | ✔ | ✔ | ✔ |
-| GetUsersForNamespace | ✔ | ✔ | ✔ |
-| GetWorkerBuildIdCompatibility | ✔ | ✔ | ✔ |
-| GetWorkerTaskReachability | ✔ | ✔ | ✔ |
-| GetWorkflowExecutionHistory | ✔ | ✔ | ✔ |
-| GetWorkflowExecutionHistoryReverse | ✔ | ✔ | ✔ |
-| GlobalizeNamespace | | | ✔ |
-| ListBatchOperations | ✔ | ✔ | ✔ |
-| ListClosedWorkflowExecutions | ✔ | ✔ | ✔ |
-| ListExportSinks | ✔ | ✔ | ✔ |
-| ListFailoverHistoryByNamespace | ✔ | ✔ | ✔ |
-| ListOpenWorkflowExecutions | ✔ | ✔ | ✔ |
-| ListReplicaStatus | ✔ | ✔ | ✔ |
-| ListScheduleMatchingTimes | ✔ | ✔ | ✔ |
-| ListSchedules | ✔ | ✔ | ✔ |
-| ListTaskQueuePartitions | ✔ | ✔ | ✔ |
-| ListWorkflowExecutions | ✔ | ✔ | ✔ |
-| PatchSchedule | | ✔ | ✔ |
-| PollActivityTaskQueue | | ✔ | ✔ |
-| PollWorkflowTaskQueue | | ✔ | ✔ |
-| QueryWorkflow | ✔ | ✔ | ✔ |
-| RecordActivityTaskHeartbeat | | ✔ | ✔ |
-| RecordActivityTaskHeartbeatById | | ✔ | ✔ |
-| RenameCustomSearchAttribute | | | ✔ |
-| RequestCancelWorkflowExecution | | ✔ | ✔ |
-| ResetStickyTaskQueue | | ✔ | ✔ |
-| ResetWorkflowExecution | | ✔ | ✔ |
-| RespondActivityTaskCanceled | | ✔ | ✔ |
-| RespondActivityTaskCanceledById | | ✔ | ✔ |
-| RespondActivityTaskCompleted | | ✔ | ✔ |
-| RespondActivityTaskCompletedById | | ✔ | ✔ |
-| RespondActivityTaskFailed | | ✔ | ✔ |
-| RespondActivityTaskFailedById | | ✔ | ✔ |
-| RespondQueryTaskCompleted | | ✔ | ✔ |
-| RespondWorkflowTaskCompleted | | ✔ | ✔ |
-| RespondWorkflowTaskFailed | | ✔ | ✔ |
-| SetUserNamespaceAccess | | | ✔ |
-| SignalWithStartWorkflowExecution | | ✔ | ✔ |
-| SignalWorkflowExecution | | ✔ | ✔ |
-| StartBatchOperation | | ✔ | ✔ |
-| StartWorkflowExecution | | ✔ | ✔ |
-| StopBatchOperation | | ✔ | ✔ |
-| TerminateWorkflowExecution | | ✔ | ✔ |
-| UpdateExportSink | | | ✔ |
-| UpdateNamespace | | | ✔ |
-| UpdateSchedule | | ✔ | ✔ |
-| UpdateSearchAttributes | | | ✔ |
-| UpdateUserNamespacePermissions | | | ✔ |
-| ValidateExportSink | | | ✔ |
-| ValidateGlobalizeNamespace | | | ✔ |
-
-:::note UpdateNamespace settings
-
-`UpdateNamespace` requires Namespace Admin permission and covers these settings:
-- [Retention period](/temporal-service/temporal-server#retention-period)
-- [API key auth](/cloud/api-keys#namespace-authentication)
-- [mTLS certificates](/cloud/certificates)
-- [Certificate filters](/cloud/certificates#manage-certificate-filters)
-- [Codec server](/production-deployment/data-encryption)
-- [Connectivity rules](/cloud/connectivity)
-- [Custom Search Attributes](/search-attribute#custom-search-attribute)
-- [Provisioned capacity (TRUs)](/cloud/capacity-modes#provisioned-capacity)
-- [High Availability](/cloud/high-availability)
-
-:::
-
-## How to troubleshoot account access issues {#troubleshoot-access}
-
-### Why can't I sign in after my email domain changed? {#email-domain-change}
-
-If your organization changed its email domain (for example, from `@oldcompany.com` to `@newcompany.com`), you may be unable to sign in to Temporal Cloud with your existing account.
-
-**Why this happens:**
-When you sign in using "Continue with Google" or "Continue with Microsoft", Temporal Cloud identifies your account by your email address.
-If your email address changes, Temporal Cloud sees this as a different identity and cannot match it to your existing account.
-
-**How to resolve this:**
-[Create a support ticket](/cloud/support#support-ticket) with the following information:
-
-- Your previous email address (the one originally used to access Temporal Cloud)
-- Your new email address
-- Your Temporal Cloud Account Id (if known)
-
-Temporal Support can update your account to use your new email address.
-
-:::tip Use SAML for enterprise identity management
-
-If your organization frequently changes email domains or wants centralized control over user authentication, consider using [SAML authentication](/cloud/saml).
-With SAML, your identity provider (IdP) manages user identities, and email domain changes can be handled within your IdP without affecting Temporal Cloud access.
-
-:::
+
+
+
+
+Use the [`tcld user delete`](/cloud/tcld/user/#delete) command. Specify the user by email or ID.
+
+```command
+tcld user delete --user-email
+```
+
+You can also identify the user by ID:
+
+```command
+tcld user delete --user-id
+```
+
+
+
+
+
+Use the [DeleteUser](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to remove a user from your
+account.
+
+```
+DELETE /cloud/users/{userId}
+```
+
+
+
+
diff --git a/docs/cloud/manage-access/index.mdx b/docs/cloud/manage-access/index.mdx
index f7792abb26..6e8d66ade4 100644
--- a/docs/cloud/manage-access/index.mdx
+++ b/docs/cloud/manage-access/index.mdx
@@ -16,10 +16,107 @@ tags:
- Users
---
-Temporal Cloud offers several ways to manage access to your Temporal Cloud account.
+Access to Temporal Cloud is governed by role-based access control (RBAC). Within an account, each access principal, such
+as user, user group or service account, is assigned one or more account-level roles, and each role has a set of
+permissions. Each principal can only perform an action if they have a role that grants them the necessary permissions.
+
+Within a Namespace, each principal is assigned one or more Namespace-level permissions, and each permission permits a
+set of actions. Each principal can only perform an action if they have a permission that grants them the necessary
+actions within the Namespace.
+
+Temporal Cloud supports Security Assertion Markup Language (SAML) and System for Cross-domain Identity Management (SCIM)
+for integration with your organization's identity provider (IDP). SAML enables single sign-on (SSO) by allowing your
+identity provider to authenticate users into Temporal Cloud. SCIM automatically creates, updates, and removes users and
+groups in Temporal Cloud based on changes in your identity provider.
+
+## Temporal Cloud accounts
+
+Accounts are the top-level container for access control. Each account has at least one user assigned the Account Owner
+role, which has full administrative permissions across the account, including users, billing and usage. An account is
+**not** an access principal itself.
+
+When you sign up for Temporal Cloud without joining an existing account, you are automatically assigned the Account
+Owner role for a new account. You can then invite other users to join the account and assign them roles.
+
+:::info
+
+Multiple accounts can coexist on the same email domain. Each account can have its own independent SAML configuration,
+tied to its unique Account ID.
+
+However, each email address can only be associated with a single Temporal Cloud account. If you need access to multiple
+accounts, you’ll need a separate invite for each one using a different email address.
+
+:::
+
+## Access principals
+
+Temporal Cloud offers the following principals for access control:
- [**Users**](/cloud/users) - Manage individual user accounts and permissions
- [**User Groups**](/cloud/user-groups) - Organize users into groups for simplified access management
- [**Service Accounts**](/cloud/service-accounts) - Configure service accounts for automated access
-- [**SAML**](/cloud/saml) - Configure SAML-based single sign-on integration
+
+These principals can assume [account-level roles](/cloud/manage-access/roles-and-permissions#account-level-roles) and be
+granted [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) to perform
+actions within the account and a Namespace, respectively.
+
+## Roles and permissions
+
+Temporal Cloud' RBAC model works in a hierarchical manner. Account-level roles grant permissions to perform actions
+within the account, and Namespace-level permissions grant permissions to perform actions within a Namespace. Refer to
+the [Roles and permissions](/cloud/manage-access/roles-and-permissions) page for more details.
+
+## Integration with identity providers
+
+Temporal Cloud supports SAML and SCIM for integration with your organization's identity provider (IDP).
+
+- [**SAML**](/cloud/saml) - Configure SAML-based SSO integration
- [**SCIM**](/cloud/scim) - Use your IDP to manage Temporal Cloud users and access via SCIM integration
+
+## Troubleshoot account access issues
+
+### Recover your account after losing access to your authenticator app {#mfa-recovery}
+
+Accounts registered with email and password require multi-factor authentication (MFA) with an authenticator app. If you
+lose access to your authenticator app, you can still log in by clicking **Try another method** on the MFA screen. From
+there, you can either:
+
+- Enter your recovery code (provided when you first set up MFA)
+- Receive a verification code through email
+
+Once you're logged in, you can reset your authenticator app by navigating to **My Profile** > **Password and
+Authentication** and then clicking **Authenticator App** > **Remove method**.
+
+### Reset your password {#reset-password}
+
+If you're currently logged in and would like to change your password, click your profile icon at the top right of the
+Temporal Cloud UI, navigate to **My Profile** > **Password and Authentication**, and then click **Reset Password**.
+
+If you're not currently logged in, navigate to the login page of the Temporal Cloud UI, enter your email address, click
+**Continue**, and then select **Forgot password**. In both cases, you will receive an email with instructions on how to
+reset your password.
+
+### Sign in after email domain changes {#email-domain-change}
+
+If your organization changed its email domain (for example, from `@oldcompany.com` to `@newcompany.com`), you may be
+unable to sign in to Temporal Cloud with your existing account.
+
+**Why this happens:** When you sign in using "Continue with Google" or "Continue with Microsoft", Temporal Cloud
+identifies your account by your email address. If your email address changes, Temporal Cloud sees this as a different
+identity and cannot match it to your existing account.
+
+**How to resolve this:** [Create a support ticket](/cloud/support#support-ticket) with the following information:
+
+- Your previous email address (the one originally used to access Temporal Cloud)
+- Your new email address
+- Your Temporal Cloud Account Id (if known)
+
+Temporal Support can update your account to use your new email address.
+
+:::tip Use SAML for enterprise identity management
+
+If your organization frequently changes email domains or wants centralized control over user authentication, consider
+using [SAML authentication](/cloud/saml). With SAML, your identity provider (IdP) manages user identities, and email
+domain changes can be handled within your IdP without affecting Temporal Cloud access.
+
+:::
diff --git a/docs/cloud/manage-access/roles-and-permissions.mdx b/docs/cloud/manage-access/roles-and-permissions.mdx
new file mode 100644
index 0000000000..de9f742bdc
--- /dev/null
+++ b/docs/cloud/manage-access/roles-and-permissions.mdx
@@ -0,0 +1,89 @@
+---
+id: roles-and-permissions
+title: Roles and permissions
+description: Learn about the roles and permissions in Temporal Cloud
+toc_max_heading_level: 4
+keywords:
+ - explanation
+ - how-to
+ - introduction
+ - temporal cloud
+ - temporal cloud account
+ - users
+---
+
+Temporal Cloud uses role-based access control (RBAC) to manage access to resources. Access is governed both on the
+account-level and within a Namespace. On the account-level, each access principal is assigned one account-level role. On
+the Namespace-level, each access principal can be assigned one Namespace-level permission. Some account-level roles,
+such as Account Owner and Global Admin, automatically have Namespace Admin permissions on all Namespaces in the account.
+
+## Account-level roles
+
+Account-level roles are assigned to access principals at the account level. They control access to account resources,
+such as:
+
+- Users and Service Accounts
+- Billing and usage
+- Namespaces. This includes creating and managing Namespaces only, not access to resources within a Namespace, which is
+ controlled by [Namespace-level permissions](#namespace-level-permissions).
+- Nexus Endpoints
+
+The following table provides a summary of the account-level roles and their primary purpose:
+
+| Role | Primary purpose | Can create Namespaces | Automatic Namespace Admin | Billing and usage access |
+| ------------- | ------------------------------------------- | --------------------- | --------------------------------------- | --------------------------------- |
+| Account Owner | Owns and governs the account | Yes | All Namespaces (cannot be revoked) | Full billing, payments, and usage |
+| Global Admin | Administers account configuration and users | Yes | All Namespaces (cannot be revoked) | Usage only |
+| Developer | Creates and manages Namespaces they own | Yes | Namespaces they create (can be revoked) | None |
+| Finance Admin | Manages billing and payment information | No | None | Full billing and payments |
+| Read-Only | Views account configuration and resources | No | None | None |
+
+Account-level roles don't govern day-to-day operations within a Namespace. Access to resources inside a Namespace, such
+as Workflows and Workflow Executions, is controlled by [Namespace-level permissions](#namespace-level-permissions).
+
+Account Owner and Global Admin roles automatically have Namespace Admin permissions on all Namespaces in the account,
+and these permissions cannot be revoked without removing the role. Developers can create Namespaces, and have Namespace
+Admin permissions for each Namespace they create. This permission can be revoked. Developer roles also don't have
+automatic access to Namespaces that they didn't create.
+
+### Best practice for assigning the Account Owner role
+
+The Account Owner role holds the highest level of access in the system. This role configures account-level parameters
+and manages Temporal billing and payment information. It allows users to perform all actions within the Temporal Cloud
+account.
+
+We strongly recommend the following precautions when assigning the Account Owner role to users:
+
+- Assign the role to at least two users in your organization. Otherwise, limit the number of users with this role.
+- Associate a person’s direct email address to the Account Owner, rather than a shared or generic address, so Temporal
+ Support can contact the right person in urgent situations.
+
+This latter rule is useful for anyone on your team who may need to be contacted urgently, regardless of their Account
+role.
+
+## Namespace-level permissions {#namespace-level-permissions}
+
+Namespace-level permissions govern access to resources within a Namespace, such as the following:
+
+- Workflows
+- Workflow Executions
+- Task Queues
+- Activity Executions
+- Search Attributes
+- History
+- Events
+
+Namespace-level permissions are assigned to access principals within a Namespace. Each permission has a set of actions
+that grant access to specific resources within the Namespace.
+
+The following table provides a summary of the Namespace-level permissions and their primary purpose:
+
+| Permission level | Intended use | Human access | Worker runtime access | Namespace administration |
+| ---------------- | --------------------------------- | -------------------------------------------------------------------------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| Read | Observe Namespace activity | View Workflows, Workflow Executions, Schedules, Task Queues, and metadata | None | None |
+| Write | Operate Workflows and run Workers | Start, signal, cancel, terminate, and reset Workflows; manage Schedules and batch operations | Poll Task Queues and complete Workflow and Activity Tasks | None |
+| Namespace Admin | Administer the Namespace | All Read and Write capabilities | All Read and Write capabilities | Update Namespace settings, manage Search Attributes, Export Sinks, replication, and Namespace user access |
+
+You can grant Namespace Admin, Write, or Read-Only permissions to principals with the account-level roles of Developer,
+Finance Admin, or Read-Only. Account Owners and Global Admins already have Namespace Admin permissions on all Namespaces
+in the account and do not need to be manually assigned Namespace-level permissions.
diff --git a/docs/cloud/metrics/general-setup.mdx b/docs/cloud/metrics/general-setup.mdx
index 618b54ecc0..04981c4635 100644
--- a/docs/cloud/metrics/general-setup.mdx
+++ b/docs/cloud/metrics/general-setup.mdx
@@ -35,13 +35,13 @@ You will learn how to do the following:
:::note
-To view and manage third-party integration settings, your user account must have the Account Owner or Global Admin [role](/cloud/users#account-level-roles).
+To view and manage third-party integration settings, your user account must have the Account Owner or Global Admin [role](/cloud/manage-access/roles-and-permissions#account-level-roles).
:::
To assign a certificate and generate your metrics endpoint, follow these steps:
-1. Log in to Temporal Cloud UI with an Account Owner or Global Admin [role](/cloud/users#account-level-roles).
+1. Log in to Temporal Cloud UI with an Account Owner or Global Admin [role](/cloud/manage-access/roles-and-permissions#account-level-roles).
2. Go to **Settings** and select **Observability**.
4. Add your root CA certificate (.pem) and save it.
Note that if an observability endpoint is already set up, you can append your root CA certificate here to use the generated observability endpoint in your observability tool.
diff --git a/docs/cloud/metrics/prometheus-grafana.mdx b/docs/cloud/metrics/prometheus-grafana.mdx
index 71ffda59da..ff910951bb 100644
--- a/docs/cloud/metrics/prometheus-grafana.mdx
+++ b/docs/cloud/metrics/prometheus-grafana.mdx
@@ -65,13 +65,13 @@ If you're following through with the examples provided here, ensure that you hav
Before you set up your Temporal Cloud metrics, ensure that you have the following:
-- Account Owner or Global Admin [role privileges](/cloud/users#account-level-roles) for the Temporal Cloud account.
+- Account Owner or Global Admin [role privileges](/cloud/manage-access/roles-and-permissions#account-level-roles) for the Temporal Cloud account.
- [CA certificate and key](/cloud/certificates) for the Observability integration.
You will need the certificate to set up the Observability endpoint in Temporal Cloud.
The following steps describe how to set up Observability on Temporal Cloud to generate an endpoint:
-1. Log in to Temporal Cloud UI with an Account Owner or Global Admin [role](/cloud/users#account-level-roles).
+1. Log in to Temporal Cloud UI with an Account Owner or Global Admin [role](/cloud/manage-access/roles-and-permissions#account-level-roles).
2. Go to **Settings** and select **Integrations**.
3. Select **Configure Observability** (if you're setting it up for the first time) or click **Edit** in the Observability section (if it was already configured before).
4. Add your root CA certificate (.pem) and save it.
diff --git a/docs/cloud/scim.mdx b/docs/cloud/scim.mdx
index 4b8c473a38..80b1594cb7 100644
--- a/docs/cloud/scim.mdx
+++ b/docs/cloud/scim.mdx
@@ -27,7 +27,7 @@ tags:
- User deletion / offboarding
- User membership in groups
-You can map SCIM groups to Temporal Cloud [roles and permissions](/cloud/users#account-level-roles-and-namespace-level-permissions), so users automatically get the Temporal Cloud access they need based on the groups they belong to.
+You can map SCIM groups to Temporal Cloud [roles and permissions](/cloud/manage-access/roles-and-permissions), so users automatically get the Temporal Cloud access they need based on the groups they belong to.
:::info
diff --git a/docs/cloud/tcld/namespace.mdx b/docs/cloud/tcld/namespace.mdx
index 0b1b30af2a..f202ef2033 100644
--- a/docs/cloud/tcld/namespace.mdx
+++ b/docs/cloud/tcld/namespace.mdx
@@ -274,7 +274,7 @@ tcld namespace create \
#### --user-namespace-permission
-A [Namespace-level permission](/cloud/users#namespace-level-permissions) for a user in the form '_email_=_permission_'. Can be specified more than once.
+A [Namespace-level permission](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for a user in the form '_email_=_permission_'. Can be specified more than once.
Valid values for _permission_: `Admin` | `Write` | `Read`
diff --git a/docs/cloud/tcld/user.mdx b/docs/cloud/tcld/user.mdx
index 5cae9d1bc5..5803ba1f9a 100644
--- a/docs/cloud/tcld/user.mdx
+++ b/docs/cloud/tcld/user.mdx
@@ -120,7 +120,7 @@ Alias: `-e`
_Required modifier_
-Specify the [account-level Role](/cloud/users#account-level-roles) for the invited user.
+Specify the [account-level Role](/cloud/manage-access/roles-and-permissions#account-level-roles) for the invited user.
Available account roles: `admin` | `developer` | `read`.
@@ -128,7 +128,7 @@ Alias: `--ar`
#### --namespace-permission
-Specify the [Namespace-level permissions](/cloud/users#namespace-level-permissions) for the invited user.
+Specify the [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for the invited user.
You can supply this modifier multiple times to set multiple Namespace permissions in a single request.
Each value must be in the format of `namespace=permission-type`.
@@ -228,7 +228,7 @@ Alias: `-r`
## set-account-role
-The `tcld user set-account-role` command sets an [account-level Role](/cloud/users#account-level-roles) for the specified user in Temporal Cloud.
+The `tcld user set-account-role` command sets an [account-level Role](/cloud/manage-access/roles-and-permissions#account-level-roles) for the specified user in Temporal Cloud.
You must set either `--user-email` or `--user-id`.
Alias: `ri`
@@ -286,7 +286,7 @@ Alias: `-v`
## set-namespace-permissions
-The `tcld user set-namespace-permissions` command sets [Namespace-level permissions](/cloud/users#namespace-level-permissions) for a specified user in Temporal Cloud.
+The `tcld user set-namespace-permissions` command sets [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for a specified user in Temporal Cloud.
You must set either `--user-email` or `--user-id`.
Alias: `snp`
@@ -330,7 +330,7 @@ Alias: `-v`
#### --namespace-permission
-Specify the [Namespace-level permissions](/cloud/users#namespace-level-permissions) for the invited user.
+Specify the [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for the invited user.
You can supply this modifier multiple times to set multiple Namespace permissions in a single request.
Each value must be in the format of `namespace=permission-type`.
diff --git a/docs/cloud/terraform-provider.mdx b/docs/cloud/terraform-provider.mdx
index 1ddaea1548..368ff38e84 100644
--- a/docs/cloud/terraform-provider.mdx
+++ b/docs/cloud/terraform-provider.mdx
@@ -285,8 +285,8 @@ on subsequent Terraform operations.
Terraform provides a great way to automate the management of [Nexus Endpoints](/nexus/endpoints). The provider allows
you to import, create, update, and delete Nexus Endpoints with Terraform.
-You must use an Identity with [Developer role (or higher)](/cloud/users#account-level-roles) and
-[Namespace Admin permission](/cloud/users#namespace-level-permissions) on the Endpoint's target Namespace.
+You must use an Identity with [Developer role (or higher)](/cloud/manage-access/roles-and-permissions#account-level-roles) and
+[Namespace Admin permission](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) on the Endpoint's target Namespace.
**How do I create a Nexus Endpoint with Terraform?**
diff --git a/docs/encyclopedia/namespaces/namespaces.mdx b/docs/encyclopedia/namespaces/namespaces.mdx
index 6ba739aae3..9ee52e3dbb 100644
--- a/docs/encyclopedia/namespaces/namespaces.mdx
+++ b/docs/encyclopedia/namespaces/namespaces.mdx
@@ -15,7 +15,7 @@ tags:
:::info Open source and Temporal Cloud
This page covers core namespace concepts that apply to both open source Temporal and Temporal Cloud.
-Temporal Cloud namespaces include additional capabilities, such as [API key](/cloud/api-keys) and [mTLS authentication](/cloud/certificates), [built-in role-based access controls](/cloud/users#namespace-level-permissions), [high availability replication](/cloud/high-availability), and [namespace tags](/cloud/namespaces#tag-a-namespace).
+Temporal Cloud namespaces include additional capabilities, such as [API key](/cloud/api-keys) and [mTLS authentication](/cloud/certificates), [built-in role-based access controls](/cloud/manage-access/roles-and-permissions#namespace-level-permissions), [high availability replication](/cloud/high-availability), and [namespace tags](/cloud/namespaces#tag-a-namespace).
Moving from self-hosting to Cloud, or the reverse, requires zero code changes and incurs zero downtime.
:::
diff --git a/docs/evaluate/development-production-features/multi-tenant.mdx b/docs/evaluate/development-production-features/multi-tenant.mdx
index fac23ab41c..234d0938d2 100644
--- a/docs/evaluate/development-production-features/multi-tenant.mdx
+++ b/docs/evaluate/development-production-features/multi-tenant.mdx
@@ -37,7 +37,7 @@ Namespaces in self-hosted Temporal provide:
Temporal Cloud builds on these capabilities with additional isolation guarantees:
- **Independent authentication** via [API keys](/cloud/api-keys) or [mTLS certificates](/cloud/certificates)
-- **Built-in [role-based access controls](/cloud/users#namespace-level-permissions)** without custom Authorizer configuration
+- **Built-in [role-based access controls](/cloud/manage-access/roles-and-permissions#namespace-level-permissions)** without custom Authorizer configuration
- **Separate [rate limits](/cloud/limits#namespace-level)** to prevent noisy neighbor problems
- **[High availability replication](/cloud/high-availability)** across regions
diff --git a/docs/evaluate/temporal-cloud/security.mdx b/docs/evaluate/temporal-cloud/security.mdx
index 4f58326555..0827a7fae9 100644
--- a/docs/evaluate/temporal-cloud/security.mdx
+++ b/docs/evaluate/temporal-cloud/security.mdx
@@ -131,7 +131,7 @@ For user authentication to the Temporal Cloud UI, see [How to manage SAML authen
Authorization is managed at the account and Namespace level.
Users and systems are assigned one or more preconfigured roles.
-Users hold [account-level Roles](/cloud/users#account-level-roles) of administrators, developers, and read-only users.
+Users hold [account-level Roles](/cloud/manage-access/roles-and-permissions#account-level-roles) of administrators, developers, and read-only users.
Systems and applications processes hold their own distinct roles.
### Monitoring
diff --git a/docs/production-deployment/data-encryption.mdx b/docs/production-deployment/data-encryption.mdx
index 7ded0d3d01..92a6305347 100644
--- a/docs/production-deployment/data-encryption.mdx
+++ b/docs/production-deployment/data-encryption.mdx
@@ -276,7 +276,7 @@ To set a Codec Server endpoint on a Namespace, do the following.
1. Optional: If your Codec Server is configured to [authenticate requests](#authorization) from Temporal Web UI, enable **Pass access token** to send a JWT access token with the HTTPS requests.
1. Optional: If your Codec Server is configured to [verify origins of requests](#cors), enable **Include cross-origin credentials**.
-On Temporal Cloud, you must have [Namespace Admin privileges](/cloud/users#namespace-level-permissions) to add a Codec Server endpoint on the Namespace. Setting a Codec Server endpoint on a Cloud Namespace enables it for all users on the Namespace.
+On Temporal Cloud, you must have [Namespace Admin privileges](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) to add a Codec Server endpoint on the Namespace. Setting a Codec Server endpoint on a Cloud Namespace enables it for all users on the Namespace.
Setting a Codec Server endpoint on a self-hosted Temporal Service enables it for the entire Temporal Service. You can use a single Codec Server to handle different encoding and decoding routes for each namespace.
diff --git a/docs/production-deployment/self-hosted-guide/namespaces.mdx b/docs/production-deployment/self-hosted-guide/namespaces.mdx
index d625f40749..3f7794f40a 100644
--- a/docs/production-deployment/self-hosted-guide/namespaces.mdx
+++ b/docs/production-deployment/self-hosted-guide/namespaces.mdx
@@ -77,7 +77,7 @@ Use a custom [Authorizer](/self-hosted-guide/security#authorizer-plugin) on your
Without an Authorizer configured, Temporal uses the `nopAuthority` authorizer that allows all API calls unconditionally.
-For Temporal Cloud, [role-based access controls](/cloud/users#namespace-level-permissions) provide namespace-level authorization without custom configuration.
+For Temporal Cloud, [role-based access controls](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) provide namespace-level authorization without custom configuration.
## Best practices
diff --git a/docs/web-ui.mdx b/docs/web-ui.mdx
index aee2192560..a9b9fa8f86 100644
--- a/docs/web-ui.mdx
+++ b/docs/web-ui.mdx
@@ -30,7 +30,7 @@ All Namespaces in your self-hosted Temporal Service or Temporal Cloud account ar
left section of the window. You can also switch Namespaces from the Workflows view by selecting from the Namespace
switcher at the top right corner of the window. After you select a Namespace, the Web UI shows the Recent Workflows page
for that Namespace. In Temporal Cloud, users can access only the Namespaces that they have been granted access to. For
-details, see [Namespace-level permissions](/cloud/users#namespace-level-permissions).
+details, see [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions).
## Workflows
@@ -271,7 +271,7 @@ To read more about Schedules, explore these links:
### Settings
On Temporal Cloud, **Settings** is visible only to Account Owner and Global Admin
-[roles](/cloud/users#account-level-roles).
+[roles](/cloud/manage-access/roles-and-permissions#account-level-roles).
Click **Settings** to see and manage the list of users in your account and to set up integrations such as
[Observability](/cloud/metrics) and [Audit logging](/cloud/audit-logs).
diff --git a/sidebars.js b/sidebars.js
index 6fae131fb6..39a1f1cfa6 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -368,6 +368,7 @@ module.exports = {
},
items: [
'cloud/get-started/users',
+ 'cloud/manage-access/roles-and-permissions',
'cloud/get-started/user-groups',
'cloud/get-started/service-accounts',
'cloud/saml',
@@ -406,11 +407,7 @@ module.exports = {
type: 'doc',
id: 'cloud/metrics/promql',
},
- items: [
- 'cloud/metrics/general-setup',
- 'cloud/metrics/reference',
- 'cloud/metrics/prometheus-grafana',
- ],
+ items: ['cloud/metrics/general-setup', 'cloud/metrics/reference', 'cloud/metrics/prometheus-grafana'],
},
],
},