Browse documentation

How do I add my team and set roles?

Organizations are the ownership boundary in Enforgate: keys, policies, upstreams, approvals, and the audit log all belong to an org, not to a single user. Invite teammates into your org and give each one a role that fits what they need to do.

Organizations

Everyone gets a personal organization on first sign-in, so a solo user just works. When you need to collaborate, invite people into a shared org. Your active orgdetermines what you see; if you belong to more than one, switch between them from the org switcher in the header. Your billing plan lives on the org, not on you.

The three roles

  • Admin — full control, including team management, organization settings, billing, branding, and security posture. Everything a developer and approver can do, plus the org itself.
  • Developer — manages the security configuration: keys, policies, upstreams, and notification configs, plus the playground. Can view and resolve approvals. Cannot manage the team or org-level settings.
  • Approver — read-only, plus the one action that matters most to an on-call reviewer: resolving approvals (approve/deny held calls). No mutation, no playground.
Roles are ordered admin > developer > approver. Every write checks the role first: reads and approval resolution need only membership; changing keys/policies needs developer; team and org changes need admin.

Inviting people

Admins invite teammates by email with a role. The invite is a single-use link that expires in 7 days; the recipient signs in (or signs up), accepts, and lands in the org with the role you chose. You can resend or revoke a pending invite at any time from the team page.

The last-admin guard

An org must always have at least one admin. Enforgate blocks the action that would remove or demote the final admin — so you can never lock your team out of its own settings, billing, or keys. Promote a second admin first if you need to step down.

Everything stays scoped

Every query in the dashboard is scoped to your active org and checked against your role, so a member of one org never sees another's keys, calls, or approvals. This is the same boundary the gateway enforces on API keys. For how the audit trail is filtered by role, see security & data handling; for how approvals reach the right reviewer, see approval routing.