Manage users
- How to invite users to your Temporal Cloud account
- What are the account-level roles?
- What are the Namespace-level permissions?
- How to update an account-level Role in Temporal Cloud
- How to update Namespace-level permissions in Temporal Cloud
- How to delete a user from your Temporal Cloud account
How to invite users to your Temporal Cloud account
Access to Temporal Cloud can be authorized through email and password, Google single sign-on, Microsoft single sign-on, or SAML, depending on your setup.
If you are using Google OAuth for single sign-on and an email address is not associated with a Google Account, the user must follow the instructions in the Use an existing email address section of Create a Google Account.
Important: Do not create a Gmail account when creating a Google Account.
If your organization uses Google Workspace or Microsoft Entra ID, and your IT administrator has enabled controls over single sign-on permissions, then you will need to work with your IT administrator to allow logins to Temporal Cloud.
When a user is created in Temporal Cloud, they receive an invitation email with a link. They must use this link to finalize their setup and access Temporal Cloud. Accounts with SAML configurations can ignore this email. However, those using Google/Microsoft SSO or email and password authentication need to accept the invitation link for their initial login to Temporal Cloud. For future logins, they must use the same authentication method they originally signed up with.
To invite users, a user must have the Global Admin or Account Owner account-level role.
Roles and permissions
Each user in Temporal Cloud is assigned a role. Each user can be assigned permissions for individual Namespaces.
- Web UI
- tcld
- Cloud Ops API
To invite users using the Temporal Cloud UI:
- In Temporal Web UI, select Settings in the left portion of the window.
- On the Settings page, select Create Users in the upper-right portion of the window.
- On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
- In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
- If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
- When all permissions are assigned, select Send Invite.
Temporal sends an email message to each user. To join Temporal Cloud, a user must select Accept Invite in the message.
To invite users using tcld, see the tcld user invite command.
Temporal sends an email message to the specified user. To join Temporal Cloud, the user must select Accept Invite in the message.
You can invite users pragmatically using the Cloud Ops API.
- Create a connection to your Temporal Service using the Cloud Operations API.
- Use the CreateUser service to create a user.
Frequently Asked Questions
Can the same email be used across different Temporal Cloud accounts?
No — each email address can only be associated with a single Temporal Cloud account. If you need access to multiple accounts, you’ll need a separate invite for each one using a different email address.
Can I use Google or Microsoft SSO after signing up with email and password?
If you originally signed up for Temporal Cloud using an email and password, you won’t be able to log in using Google or Microsoft single sign-on.
If you prefer SSO, ask your Account Owner to delete your current user and send you a new invitation. During re-invitation, be sure to sign up using your preferred authentication method.
How do I complete the Secure Your Account
step?
If you signed up to Temporal Cloud using an email and password, you're required to set up multi-factor authentication (MFA) for added security. Currently, only authenticator apps are supported as an additional factor (such as Google Authenticator, Microsoft Authenticator, and Authy).
To proceed:
- Download a supported authenticator app on your mobile device.
- Scan the QR code shown on the Secure Your Account screen.
- Enter the verification code from your app to complete MFA setup.
- Securely store your recovery code. This code allows you to access your account if you lose access to your authenticator app.
Once MFA is configured, you’ll be able to continue using Temporal Cloud.
What if I lose access to my authenticator app?
If you lose access to your authenticator app, you can still log in by clicking Try another method on the MFA screen. From there, you can either:
- Enter your recovery code (provided when you first set up MFA)
- Receive a verification code through email
Once you're logged in, you can reset your authenticator app by navigating to My Profile > Password and Authentication and then clicking Authenticator App > Remove method.
How do I reset my password?
If you're currently logged in and would like to change your password, click your profile icon at the top right of the Temporal Cloud UI, navigate to My Profile > Password and Authentication, and then click Reset Password.
If you're not currently logged in, navigate to the login page of the Temporal Cloud UI, enter your email address, click Continue, and then select Forgot password. In both cases, you will receive an email with instructions on how to reset your password.
What are the account-level roles for users in Temporal Cloud?
When an Account Owner or Global Admin invites a user to join an account, they select one of the following roles for that user:
- Global Admin
- Has full administrative permissions across the account, including users and usage
- Can create and manage Namespaces and Nexus Endpoints
- Has Namespace Admin permissions on all Namespaces in the account. This permission cannot be revoked
- Developer
- Can create Namespaces
- Is granted Namespace Admin permission for each Namespace they create. This permission can be revoked
- Can create and manage Nexus Endpoints where they are a Namespace Admin on the Endpoint's target Namespace
- Read-Only
- Can read information
- Can be granted Namespace permissions, for example to read or write Workflow state in a given Namespace
- Can view all Nexus Endpoints in the account, which have separate runtime access controls
In addition, there are two roles that the Global Admin cannot assign:
- Account Owner
- Has full administrative permissions across the account, including users, usage and billing
- Can create and manage Namespaces and Nexus Endpoints
- Has Namespace Admin permissions on all Namespaces in the account. This permission cannot be revoked
- Finance Admin
- Has permissions to view billing information and update payment information
- Otherwise, has the same permissions as Account Read-only users
- Can only be assigned by an Account Owner
When the account is created, the initial user who logs in is automatically assigned the Account Owner role. If your account does not have an Account Owner, please reach out to Support to assign the appropriate individual to this role.
Using the Account Owner role
The Account Owner role (i.e., users with the Account Owner system role) holds the highest level of access in the system. This role configures account-level parameters and manages Temporal billing and payment information. It allows users to perform all actions within the Temporal Cloud account.
Temporal strongly recommends the following precautions when assigning the Account Owner role to users:
- Assign the role to at least two users in your organization. Otherwise, limit the number of users with this role.
- Associate a person’s direct email address to the Account Owner, rather than a shared or generic address, so Temporal Support can contact the right person in urgent situations.
This latter rule is useful for anyone on your team who may need to be contacted urgently, regardless of their Account role.
What are the Namespace-level permissions for users in Temporal Cloud?
An Account Owner or Global Admin can assign permissions for any Namespace in an account. A Developer can assign permissions for a Namespace they create.
For a Namespace, a user can have one of the following permissions:
- Namespace Admin:
- Can manage the Namespace including identities and permissions
- Can create, rename, update, and delete Workflows within the Namespace
- Write:
- Can create, rename, update, and delete Workflows within the Namespace
- Read-Only:
- Can only read information from the Namespace
How to update an account-level role in Temporal Cloud
With Global Admin or Account Owner privileges, you can update any user's account-level role using either the Web UI or the tcld CLI utility. The Account Owner role can only be granted by existing Account Owners.
For security reasons, changes to the Account Owner role must be made through Temporal Support. To change or delete an Account Owner, you must submit a support ticket.
How to update an account-level role using Web UI
- In Temporal Web UI, select Settings in the left portion of the window.
- On the Settings page, select the user.
- On the user profile page, select Edit User.
- On the Edit User page in Account Level Role, select the role.
- Select Save.
How to update an account-level role using tcld
For details, see the tcld user set-account-role command.
How to update Namespace-level permissions in Temporal Cloud
You can update Namespace-level permissions by using either Web UI or tcld.
How to use the Web UI to update a user's permissions across multiple Namespaces
- In Temporal Web UI, select Namespaces in the left portion of the window.
- On the Namespaces page, select the Namespace.
- If necessary, scroll down to the list of permissions
- On the user profile page in Namespace permissions, select the Namespace.
- On the Namespace page in Account Level Role, select the role.
- Select Save.
How to use the Web UI to update permissions for multiple users within a single Namespace
A user with the Account Owner or Global Admin account-level role has Namespace Admin permissions for all Namespaces.
- In Temporal Web UI, select Settings in the left portion of the window.
- On the Settings page in the Users tab, select the user.
- On the user profile page, select Edit User.
- On the Edit User page in Namespace permissions, change the permissions for one or more Namespaces.
- Select Save.
How to use tcld to update Namespace-level permissions
For details, see the tcld user set-namespace-permissions command.
How to delete a user from your Temporal Cloud account
You can delete a user from your Temporal Cloud Account by using either Web UI or tcld.
To delete a user, a user must have the Account Owner or Global Admin account-level role.
How to update an account-level role using Web UI
- In Temporal Web UI, select Settings in the left portion of the window.
- On the Settings page, find the user and, on the right end of the row, select Delete.
- In the Delete User dialog, select Delete.
You can delete a user in two other ways in Web UI:
- User profile page: Select the down arrow next to Edit User and then select Delete.
- Edit User page: Select Delete User.
How to update an account-level role using tcld
For details, see the tcld user delete command.
Account-level roles and Namespace-level permissions
Temporal account-level roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs. The following table provides the API details associated with each account-level role and Namespace-level permission.
Account Owners and Global Admins have Namespace Admin permissions on all Namespaces.
Account-level role details
This table provides API-level details for the permissions granted to a user through account-level roles. These permissions are configured per user.
Permission | Read-only | Developer | Finance Admin | Global Admin | Account Owner |
---|---|---|---|---|---|
CountIdentities | ✔ | ✔ | ✔ | ✔ | ✔ |
CreateAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
CreateNamespace | ✔ | ✔ | ✔ | ||
CreateNexusEndpoint | ✔ | ✔ | ✔ | ||
CreateServiceAccount | ✔ | ✔ | |||
CreateServiceAccountAPIKey | ✔ | ✔ | |||
CreateStripeCustomerPortalSession | ✔ | ✔ | |||
CreateUser | ✔ | ✔ | |||
DeleteAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
DeleteNexusEndpoint | ✔ | ✔ | ✔ | ||
DeleteServiceAccount | ✔ | ✔ | |||
DeleteUser | ✔ | ✔ | |||
GetAccount | ✔ | ✔ | ✔ | ✔ | ✔ |
GetAccountFeatureFlags | ✔ | ✔ | ✔ | ✔ | ✔ |
GetAccountLimits | ✔ | ✔ | ✔ | ✔ | ✔ |
GetAccountSettings | ✔ | ✔ | ✔ | ✔ | ✔ |
GetAccountUsage | ✔ | ✔ | |||
GetAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
GetAPIKeys | ✔ | ✔ | ✔ | ✔ | ✔ |
GetAsyncOperation | ✔ | ✔ | ✔ | ✔ | ✔ |
GetDecodedCertificate | ✔ | ✔ | ✔ | ✔ | ✔ |
GetIdentities | ✔ | ✔ | ✔ | ✔ | ✔ |
GetIdentity | ✔ | ✔ | ✔ | ✔ | ✔ |
GetNamespaces | ✔ | ✔ | ✔ | ✔ | ✔ |
GetNamespacesUsage | ✔ | ✔ | |||
GetNexusEndpoint | ✔ | ✔ | ✔ | ✔ | ✔ |
GetNexusEndpoints | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRegion | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRegions | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRequestStatus | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRequestStatuses | ✔ | ✔ | |||
GetRequestStatusesForNamespace | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRequestStatusesForUser | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRoles | ✔ | ✔ | ✔ | ✔ | ✔ |
GetRolesByPermissions | ✔ | ✔ | ✔ | ✔ | ✔ |
GetServiceAccount | ✔ | ✔ | ✔ | ✔ | ✔ |
GetServiceAccounts | ✔ | ✔ | ✔ | ✔ | ✔ |
GetStripeInvoice | ✔ | ✔ | |||
GetUser | ✔ | ✔ | ✔ | ✔ | ✔ |
GetUsers | ✔ | ✔ | ✔ | ✔ | ✔ |
GetUsersWithAccountRoles | ✔ | ✔ | ✔ | ✔ | ✔ |
InviteUsers | ✔ | ✔ | |||
ListCreditLedgerEntries | ✔ | ✔ | |||
ListGrants | ✔ | ✔ | |||
ListMetronomeInvoices | ✔ | ✔ | |||
ListMetronomeInvoicesForNamespace | ✔ | ✔ | |||
ListNamespaces | ✔ | ✔ | ✔ | ✔ | ✔ |
ListPromotionGrantBalances | ✔ | ✔ | |||
ResendUserInvite | ✔ | ✔ | |||
SetAccountSettings | ✔ | ✔ | |||
SyncCurrentUserInvite | ✔ | ✔ | ✔ | ✔ | ✔ |
UpdateAccount | ✔ | ✔ | |||
UpdateAPIKey | ✔ | ✔ | ✔ | ✔ | ✔ |
UpdateNexusEndpoint | ✔ | ✔ | ✔ | ||
UpdateServiceAccount | ✔ | ✔ | |||
UpdateUser | ✔ | ✔ |
Namespace-level permissions details
This table provides API-level details for the permissions granted to a user through Namespace-level permissions. These permissions are configured per Namespace per user.
Permission | Read | Write | Namespace Admin |
---|---|---|---|
CountWorkflowExecutions | ✔ | ✔ | ✔ |
CreateExportSink | ✔ | ✔ | |
CreateSchedule | ✔ | ✔ | |
DeleteExportSink | ✔ | ✔ | |
DeleteNamespace | ✔ | ✔ | |
DeleteSchedule | ✔ | ✔ | |
DescribeBatchOperation | ✔ | ✔ | ✔ |
DescribeNamespace | ✔ | ✔ | ✔ |
DescribeSchedule | ✔ | ✔ | ✔ |
DescribeTaskQueue | ✔ | ✔ | ✔ |
DescribeWorkflowExecution | ✔ | ✔ | ✔ |
FailoverNamespace | ✔ | ||
GetExportSink | ✔ | ✔ | ✔ |
GetExportSinks | ✔ | ✔ | ✔ |
GetNamespace | ✔ | ✔ | ✔ |
GetNamespaceUsage | ✔ | ✔ | ✔ |
GetReplicationStatus | ✔ | ✔ | ✔ |
GetSearchAttributes | ✔ | ✔ | ✔ |
GetUsersForNamespace | ✔ | ✔ | ✔ |
GetWorkerBuildIdCompatibility | ✔ | ✔ | ✔ |
GetWorkerTaskReachability | ✔ | ✔ | ✔ |
GetWorkflowExecutionHistory | ✔ | ✔ | ✔ |
GetWorkflowExecutionHistoryReverse | ✔ | ✔ | ✔ |
GlobalizeNamespace | ✔ | ||
ListBatchOperations | ✔ | ✔ | ✔ |
ListClosedWorkflowExecutions | ✔ | ✔ | ✔ |
ListExportSinks | ✔ | ✔ | ✔ |
ListFailoverHistoryByNamespace | ✔ | ✔ | ✔ |
ListOpenWorkflowExecutions | ✔ | ✔ | ✔ |
ListReplicaStatus | ✔ | ✔ | ✔ |
ListScheduleMatchingTimes | ✔ | ✔ | ✔ |
ListSchedules | ✔ | ✔ | ✔ |
ListTaskQueuePartitions | ✔ | ✔ | ✔ |
ListWorkflowExecutions | ✔ | ✔ | ✔ |
PatchSchedule | ✔ | ✔ | |
PollActivityTaskQueue | ✔ | ✔ | |
PollWorkflowTaskQueue | ✔ | ✔ | |
QueryWorkflow | ✔ | ✔ | ✔ |
RecordActivityTaskHeartbeat | ✔ | ✔ | |
RecordActivityTaskHeartbeatById | ✔ | ✔ | |
RenameCustomSearchAttribute | ✔ | ✔ | |
RequestCancelWorkflowExecution | ✔ | ✔ | |
ResetStickyTaskQueue | ✔ | ✔ | |
ResetWorkflowExecution | ✔ | ✔ | |
RespondActivityTaskCanceled | ✔ | ✔ | |
RespondActivityTaskCanceledById | ✔ | ✔ | |
RespondActivityTaskCompleted | ✔ | ✔ | |
RespondActivityTaskCompletedById | ✔ | ✔ | |
RespondActivityTaskFailed | ✔ | ✔ | |
RespondActivityTaskFailedById | ✔ | ✔ | |
RespondQueryTaskCompleted | ✔ | ✔ | |
RespondWorkflowTaskCompleted | ✔ | ✔ | |
RespondWorkflowTaskFailed | ✔ | ✔ | |
SetUserNamespaceAccess | ✔ | ||
SignalWithStartWorkflowExecution | ✔ | ✔ | |
SignalWorkflowExecution | ✔ | ✔ | |
StartBatchOperation | ✔ | ✔ | |
StartWorkflowExecution | ✔ | ✔ | |
StopBatchOperation | ✔ | ✔ | |
TerminateWorkflowExecution | ✔ | ✔ | |
UpdateExportSink | ✔ | ✔ | |
UpdateNamespace | ✔ | ✔ | |
UpdateSchedule | ✔ | ✔ | |
UpdateUserNamespacePermissions | ✔ | ||
ValidateExportSink | ✔ | ✔ | |
ValidateGlobalizeNamespace | ✔ |
Account Owners and Global Admins will have Namespace Admin permissions on Namespaces.