Skip to main content

User management - Temporal Cloud feature guide

How to invite users to your Temporal Cloud account

caution

Access to Temporal Cloud can be authorized via Google OAuth single sign-on, Microsoft single sign-on, or SAML, depending on your setup.

If you are using Google OAuth for single sign-on and an email address is not associated with a Google Account, the user must follow the instructions in the Use an existing email address section of Create a Google Account.

Important: Do not create a Gmail account when creating a Google Account.

If your organization uses Google Workspace or Microsoft Azure AD, and your IT administrator has enabled controls over single sign-on permissions, then you will need to work with your IT administrator to allow logins to Temporal Cloud.

When a user is created in Temporal Cloud, they receive an email invitation containing a link. They must use this link to finalize their setup and access Temporal Cloud. Accounts with SAML configurations can ignore this email. However, those using Google or Microsoft for SSO authentication need to follow the email link for their initial login to Temporal Cloud.

info

To invite users, a user must have the Global Admin account-level Role.

Roles and permissions

Each user in Temporal Cloud is assigned a Role. Each user can be assigned permissions for individual Namespaces.

How to invite users using Web UI

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page, select Create Users in the upper-right portion of the window.
  3. On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
  4. In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
  5. If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
  6. When all permissions are assigned, select Send Invite.

Temporal sends an email message to each user. To join Temporal Cloud, a user must select Accept Invite in the message.

How to invite a user using tcld

For details, see the tcld user invite command.

Temporal sends an email message to the specified user. To join Temporal Cloud, the user must select Accept Invite in the message.

How to invite a user using the Cloud Ops API

You can invite users pragmatically using the Cloud Ops API.

  1. Create a connection to your Temporal Service using the Cloud Operations API.
  2. Use the CreateUser service to create a user.

What are the account-level Roles for users in Temporal Cloud?

When a Global Admin invites a user to join an account, the Global Admin selects one of the following Roles for that user:

  • Global Admin
    • Has full administrative permissions across the account, including users and usage
    • Has Namespace Admin permissions on all Namespaces in the account
  • Developer
    • Can create and update Namespaces; has full control over Workflows
    • Has Namespace Admin permissions for each Namespace created by that user
  • Read-Only: Can only read information

What are the Namespace-level permissions for users in Temporal Cloud?

A Global Admin can assign permissions for any Namespace in an account. A Developer can assign permissions for a Namespace they create.

For a Namespace, a user can have one of the following permissions:

  • Namespace Admin: Can create and edit Namespaces; can create, rename, update, and delete Workflows
  • Write: Can create, rename, update, and delete Workflows within the Namespace
  • Read-Only: Can only read information from the Namespace

How to update an account-level Role in Temporal Cloud

You can update the account-level Role for a user by using either Web UI or tcld.

info

To update an account-level Role, a user must have the Global Admin account-level Role.

How to update an account-level Role using Web UI

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page, select the user.
  3. On the user profile page, select Edit User.
  4. On the Edit User page in Account Level Role, select the Role.
  5. Select Save.

How to update an account-level Role using tcld

For details, see the tcld user set-account-role command.

How to update Namespace-level permissions in Temporal Cloud

You can update Namespace-level permissions by using either Web UI or tcld.

How to use the Web UI to update a user's permissions across multiple Namespaces

  1. In Temporal Web UI, select Namespaces in the left portion of the window.
  2. On the Namespaces page, select the Namespace.
  3. If necessary, scroll down to the list of permissions
  4. On the user profile page in Namespace permissions, select the Namespace.
  5. On the Namespace page in Account Level Role, select the Role.
  6. Select Save.

How to use the Web UI to update permissions for multiple users within a single Namespace

note

A user who has the Global Admin account-level Role has Namespace Admin permissions for all Namespaces.

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page in the Users tab, select the user.
  3. On the user profile page, select Edit User.
  4. On the Edit User page in Namespace permissions, change the permissions for one or more Namespaces.
  5. Select Save.

How to use tcld to update Namespace-level permissions

For details, see the tcld user set-namespace-permissions command.

How to delete a user from your Temporal Cloud account

You can delete a user from your Temporal Cloud Account by using either Web UI or tcld.

info

To delete a user, a user must have the Global Admin account-level Role.

How to update an account-level Role using Web UI

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page, find the user and, on the right end of the row, select Delete.
  3. In the Delete User dialog, select Delete.

You can delete a user in two other ways in Web UI:

  • User profile page: Select the down arrow next to Edit User and then select Delete.
  • Edit User page: Select Delete User.

How to update an account-level Role using tcld

For details, see the tcld user delete command.

Account-level Roles and Namespace-level permissions

Temporal account-level Roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs. The following table provides the API details associated with each account-level Role and Namespace-level permission.

note

Account Global Admin has Namespace Admin permissions on Namespaces.

Account-level Role details

This table provides API-level details for the permissions granted to a user through account-level Roles. These permissions are configured per user.

PermissionRead-onlyDeveloperGlobal Admin
CountIdentities
CreateAPIKey
CreateNamespace
CreateServiceAccount
CreateServiceAccountAPIKey
CreateUser
DeleteAPIKey
DeleteServiceAccount
DeleteUser
GetAccount
GetAccountFeatureFlags
GetAccountLimits
GetAccountSettings
GetAccountUsage
GetAPIKey
GetAPIKeys
GetAsyncOperation
GetDecodedCertificate
GetIdentities
GetIdentity
GetNamespaces
GetNamespacesUsage
GetRegion
GetRegions
GetRequestStatus
GetRequestStatuses
GetRequestStatusesForNamespace
GetRequestStatusesForUser
GetRoles
GetRolesByPermissions
GetServiceAccount
GetServiceAccounts
GetUser
GetUsers
GetUsersWithAccountRoles
InviteUsers
ListCreditLedgerEntries
ListGrants
ListNamespaces
ResendUserInvite
SetAccountSettings
SyncCurrentUserInvite
UpdateAccount
UpdateAPIKey
UpdateServiceAccount
UpdateUser

Namespace-level permissions details

This table provides API-level details for the permissions granted to a user through Namespace-level permissions. These permissions are configured per Namespace per user.

PermissionReadWriteNamespace Admin
CountWorkflowExecutions
CreateExportSink
CreateSchedule
DeleteExportSink
DeleteNamespace
DeleteSchedule
DescribeBatchOperation
DescribeNamespace
DescribeSchedule
DescribeTaskQueue
DescribeWorkflowExecution
FailoverNamespace
GetExportSink
GetExportSinks
GetNamespace
GetNamespaceUsage
GetReplicationStatus
GetSearchAttributes
GetUsersForNamespace
GetWorkerBuildIdCompatibility
GetWorkerTaskReachability
GetWorkflowExecutionHistory
GetWorkflowExecutionHistoryReverse
GlobalizeNamespace
ListBatchOperations
ListClosedWorkflowExecutions
ListExportSinks
ListFailoverHistoryByNamespace
ListOpenWorkflowExecutions
ListReplicaStatus
ListScheduleMatchingTimes
ListSchedules
ListTaskQueuePartitions
ListWorkflowExecutions
PatchSchedule
PollActivityTaskQueue
PollWorkflowTaskQueue
QueryWorkflow
RecordActivityTaskHeartbeat
RecordActivityTaskHeartbeatById
RenameCustomSearchAttribute
RequestCancelWorkflowExecution
ResetStickyTaskQueue
ResetWorkflowExecution
RespondActivityTaskCanceled
RespondActivityTaskCanceledById
RespondActivityTaskCompleted
RespondActivityTaskCompletedById
RespondActivityTaskFailed
RespondActivityTaskFailedById
RespondQueryTaskCompleted
RespondWorkflowTaskCompleted
RespondWorkflowTaskFailed
SetUserNamespaceAccess
SignalWithStartWorkflowExecution
SignalWorkflowExecution
StartBatchOperation
StartWorkflowExecution
StopBatchOperation
TerminateWorkflowExecution
UpdateExportSink
UpdateNamespace
UpdateSchedule
UpdateUserNamespacePermissions
ValidateExportSink
ValidateGlobalizeNamespace