Skip to main content

Manage users

How to invite users to your Temporal Cloud account

To invite users using the Temporal Cloud UI:

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page, select Create Users in the upper-right portion of the window.
  3. On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
  4. In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
  5. If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
  6. When all permissions are assigned, select Send Invite.

The new users receive an email with a link to accept the invitation and complete their setup. The new user must use this link to sign up to be added to your account unless the account has a SAML configuration. If your account has a SAML configuration, the new user can sign in using their existing SAML credentials and be included in the account automatically.

caution

The new user must use the same authentication method they originally signed up with to sign in to Temporal Cloud. If they used single sign-on (SSO), they must use the same SSO provider to sign in to Temporal Cloud. If they used email and password authentication, they must use the same email and password to sign in to Temporal Cloud, and cannot use SSO, even if the underlying email address is the same.

What are the account-level roles for users in Temporal Cloud?

When an Account Owner or Global Admin invites a user to join an account, they select one of the following roles for that user:

  • Global Admin
    • Has full administrative permissions across the account, including users and usage
    • Can create and manage Namespaces and Nexus Endpoints
    • Has Namespace Admin permissions on all Namespaces in the account. This permission cannot be revoked
  • Developer
    • Can create Namespaces
    • Is granted Namespace Admin permission for each Namespace they create. This permission can be revoked
    • Can create and manage Nexus Endpoints where they are a Namespace Admin on the Endpoint's target Namespace
  • Read-Only
    • Can read information
    • Can be granted Namespace permissions, for example to read or write Workflow state in a given Namespace
    • Can view all Nexus Endpoints in the account, which have separate runtime access controls

In addition, there are two roles that the Global Admin cannot assign:

  • Account Owner
    • Has full administrative permissions across the account, including users, usage and billing
    • Can create and manage Namespaces and Nexus Endpoints
    • Has Namespace Admin permissions on all Namespaces in the account. This permission cannot be revoked
  • Finance Admin
    • Has permissions to view billing information and update payment information
    • Otherwise, has the same permissions as Account Read-only users
    • Can be assigned to Service Accounts by a Global Admin, but otherwise can only be assigned by an Account Owner
Default Role

When the account is created, the initial user who logs in is automatically assigned the Account Owner role. If your account does not have an Account Owner, please reach out to Support to assign the appropriate individual to this role.

Using the Account Owner role

The Account Owner role (i.e., users with the Account Owner system role) holds the highest level of access in the system. This role configures account-level parameters and manages Temporal billing and payment information. It allows users to perform all actions within the Temporal Cloud account.

Best Practices

Temporal strongly recommends the following precautions when assigning the Account Owner role to users:

  • Assign the role to at least two users in your organization. Otherwise, limit the number of users with this role.
  • Associate a person’s direct email address to the Account Owner, rather than a shared or generic address, so Temporal Support can contact the right person in urgent situations.

This latter rule is useful for anyone on your team who may need to be contacted urgently, regardless of their Account role.

What are the Namespace-level permissions for users in Temporal Cloud?

An Account Owner or Global Admin can assign permissions for any Namespace in an account. A Developer can assign permissions for a Namespace they create.

For a Namespace, a user can have one of the following permissions:

  • Namespace Admin:
  • Write:
    • Can create, rename, update, and delete Workflows within the Namespace
  • Read-Only:
    • Can only read information from the Namespace

How to update an account-level role in Temporal Cloud

With Global Admin or Account Owner privileges, you can update any user's account-level role using either the Web UI or the tcld CLI utility. The Account Owner role can only be granted by existing Account Owners.

For security reasons, changes to the Account Owner role must be made through Temporal Support. To change or delete an Account Owner, you must submit a support ticket.

How to update an account-level role using Web UI

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page, select the user.
  3. On the user profile page, select Edit User.
  4. On the Edit User page in Account Level Role, select the role.
  5. Select Save.

How to update an account-level role using tcld

For details, see the tcld user set-account-role command.

How to update Namespace-level permissions in Temporal Cloud

You can update Namespace-level permissions by using either Web UI or tcld.

How to use the Web UI to update a user's permissions across multiple Namespaces

  1. In Temporal Web UI, select Namespaces in the left portion of the window.
  2. On the Namespaces page, select the Namespace.
  3. If necessary, scroll down to the list of permissions
  4. On the user profile page in Namespace permissions, select the Namespace.
  5. On the Namespace page in Account Level Role, select the role.
  6. Select Save.

How to use the Web UI to update permissions for multiple users within a single Namespace

note

A user with the Account Owner or Global Admin account-level role has Namespace Admin permissions for all Namespaces.

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page in the Users tab, select the user.
  3. On the user profile page, select Edit User.
  4. On the Edit User page in Namespace permissions, change the permissions for one or more Namespaces.
  5. Select Save.

How to use tcld to update Namespace-level permissions

For details, see the tcld user set-namespace-permissions command.

How to delete a user from your Temporal Cloud account

You can delete a user from your Temporal Cloud Account by using either Web UI or tcld.

info

To delete a user, a user must have the Account Owner or Global Admin account-level role.

How to delete a user using Web UI

  1. In Temporal Web UI, select Settings in the left portion of the window.
  2. On the Settings page, find the user and, on the right end of the row, select Delete.
  3. In the Delete User dialog, select Delete.

You can delete a user in two other ways in Web UI:

  • User profile page: Select the down arrow next to Edit User and then select Delete.
  • Edit User page: Select Delete User.

How to delete a user using tcld

For details, see the tcld user delete command.

Account-level roles and Namespace-level permissions

Temporal account-level roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs. The following table provides the API details associated with each account-level role and Namespace-level permission.

Account-level role details

This table provides API-level details for the permissions granted to a user through account-level roles. These permissions are configured per user.

PermissionRead-onlyDeveloperFinance AdminGlobal AdminAccount Owner
CountIdentities
CreateAccountAuditLogSink
CreateAPIKey
CreateNamespace
CreateNexusEndpoint
CreateServiceAccount
CreateServiceAccountAPIKey
CreateStripeCustomerPortalSession
CreateUser
DeleteAccountAuditLogSink
DeleteAPIKey
DeleteNexusEndpoint
DeleteServiceAccount
DeleteUser
GetAccount
GetAccountAuditLogSink
GetAccountAuditLogSinks
GetAccountFeatureFlags
GetAccountLimits
GetAccountSettings
GetAccountUsage
GetAPIKey
GetAPIKeys
GetAsyncOperation
GetAuditLogs
GetDecodedCertificate
GetIdentities
GetIdentity
GetNamespaces
GetNamespacesUsage
GetNexusEndpoint
GetNexusEndpoints
GetRegion
GetRegions
GetRequestStatus
GetRequestStatuses
GetRequestStatusesForNamespace
GetRequestStatusesForUser
GetRoles
GetRolesByPermissions
GetServiceAccount
GetServiceAccounts
GetStripeInvoice
GetUser
GetUsers
GetUsersWithAccountRoles
InviteUsers
ListCreditLedgerEntries
ListGrants
ListMetronomeInvoices
ListMetronomeInvoicesForNamespace
ListNamespaces
ListPromotionGrantBalances
ResendUserInvite
SetAccountSettings
SyncCurrentUserInvite
UpdateAccount
UpdateAccountAuditLogSink
UpdateAPIKey
UpdateNexusEndpoint
UpdateServiceAccount
UpdateUser
ValidateAccountAuditLogSink

Namespace-level permissions details

This table provides API-level details for the permissions granted to a user through Namespace-level permissions. These permissions are configured per Namespace per user.

note

Account Owners and Global Admins inherit Namespace Admin permissions on all Namespaces.

PermissionReadWriteNamespace Admin
CountWorkflowExecutions
CreateExportSink
CreateSchedule
DeleteExportSink
DeleteNamespace
DeleteSchedule
DescribeBatchOperation
DescribeNamespace
DescribeSchedule
DescribeTaskQueue
DescribeWorkflowExecution
FailoverNamespace
GetExportSink
GetExportSinks
GetNamespace
GetNamespaceUsage
GetReplicationStatus
GetSearchAttributes
GetUsersForNamespace
GetWorkerBuildIdCompatibility
GetWorkerTaskReachability
GetWorkflowExecutionHistory
GetWorkflowExecutionHistoryReverse
GlobalizeNamespace
ListBatchOperations
ListClosedWorkflowExecutions
ListExportSinks
ListFailoverHistoryByNamespace
ListOpenWorkflowExecutions
ListReplicaStatus
ListScheduleMatchingTimes
ListSchedules
ListTaskQueuePartitions
ListWorkflowExecutions
PatchSchedule
PollActivityTaskQueue
PollWorkflowTaskQueue
QueryWorkflow
RecordActivityTaskHeartbeat
RecordActivityTaskHeartbeatById
RenameCustomSearchAttribute
RequestCancelWorkflowExecution
ResetStickyTaskQueue
ResetWorkflowExecution
RespondActivityTaskCanceled
RespondActivityTaskCanceledById
RespondActivityTaskCompleted
RespondActivityTaskCompletedById
RespondActivityTaskFailed
RespondActivityTaskFailedById
RespondQueryTaskCompleted
RespondWorkflowTaskCompleted
RespondWorkflowTaskFailed
SetUserNamespaceAccess
SignalWithStartWorkflowExecution
SignalWorkflowExecution
StartBatchOperation
StartWorkflowExecution
StopBatchOperation
TerminateWorkflowExecution
UpdateExportSink
UpdateNamespace
UpdateSchedule
UpdateSearchAttributes
UpdateUserNamespacePermissions
ValidateExportSink
ValidateGlobalizeNamespace
UpdateNamespace settings

UpdateNamespace requires Namespace Admin permission and covers these settings:

How to troubleshoot account access issues

Why can't I sign in after my email domain changed?

If your organization changed its email domain (for example, from @oldcompany.com to @newcompany.com), you may be unable to sign in to Temporal Cloud with your existing account.

Why this happens: When you sign in using "Continue with Google" or "Continue with Microsoft", Temporal Cloud identifies your account by your email address. If your email address changes, Temporal Cloud sees this as a different identity and cannot match it to your existing account.

How to resolve this: Create a support ticket with the following information:

  • Your previous email address (the one originally used to access Temporal Cloud)
  • Your new email address
  • Your Temporal Cloud Account Id (if known)

Temporal Support can update your account to use your new email address.

Use SAML for enterprise identity management

If your organization frequently changes email domains or wants centralized control over user authentication, consider using SAML authentication. With SAML, your identity provider (IdP) manages user identities, and email domain changes can be handled within your IdP without affecting Temporal Cloud access.