# Manage users Users are one of the primary access principals in Temporal Cloud. Each user is assigned one [account-level role](/cloud/manage-access/roles-and-permissions#account-level-roles), and each role has a set of permissions. In addition to account-level roles, users can also be assigned [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for specific Namespaces. Each user can only perform an action if they have a role that grants them the necessary permissions. When you register for Temporal Cloud without joining an existing account, you are assigned the Account Owner role for a new account. You can then invite other users to join the account and assign them roles. ## Invite users to your Temporal Cloud account # User management > Learn how to manage user invitations for Temporal Cloud **Web UI** To invite users using the Temporal Cloud UI: 1. In Temporal Web UI, select **Settings** in the left portion of the window. 1. On the **Settings** page, select **Create Users** in the upper-right portion of the window. 1. On the **Create Users** page in the **Email Addresses** box, type or paste one or more email addresses. 1. In **Account-Level Role**, select a [Role](/cloud/manage-access/roles-and-permissions#account-level-roles). The Role applies to all users whose email addresses appear in **Email Addresses**. 1. If the account has any Namespaces, they are listed under **Grant access to Namespaces**. To add a permission, select the checkbox next to a Namespace, and then select a [permission](/cloud/manage-access/roles-and-permissions#namespace-level-permissions). Repeat as needed. 1. When all permissions are assigned, select **Send Invite**. **tcld** Use the [`tcld user invite`](/cloud/tcld/user/#invite) command. Specify the user's email, an account-level role, and optionally one or more Namespace permissions. Available account roles: `admin` | `developer` | `read`. Available Namespace permissions: `Admin` | `Write` | `Read`. ```command tcld user invite \ --user-email \ --account-role \ --namespace-permission = ``` You can invite multiple users and assign multiple Namespace permissions in a single command: ```command tcld user invite \ --user-email user1@example.com \ --user-email user2@example.com \ --account-role developer \ --namespace-permission ns1=Admin \ --namespace-permission ns2=Write ``` ### Frequently Asked Questions #### Can multiple Temporal Cloud accounts share the same email domain? Yes. Multiple Temporal Cloud accounts can coexist with users from the same email domain. Each account has its own independent SAML configuration, tied to its unique Account Id. We recommend configuring [SAML](/cloud/saml) for each account independently. For the smoother login experience, you can configure SAML for each account separately and use IdP-initiated login: you click the relevant app tile in your identity provider's portal to access the Temporal Cloud account associated with your email address directly. #### Can the same email be used across different Temporal Cloud accounts? No. Each email address can only be associated with a single Temporal Cloud account. If you need access to multiple accounts, you’ll need a separate invite for each one using a different email address. #### Can I use Google or Microsoft SSO after signing up with email and password? If you originally signed up for Temporal Cloud using an email and password, you won’t be able to log in using Google or Microsoft single sign-on. If you prefer SSO, ask your Account Owner to delete your current user and send you a new invitation. During re-invitation, be sure to sign up using your preferred authentication method. Use the [CreateUser](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to invite a user. ``` POST /cloud/users ``` The request body includes a `spec` with the following fields: - `spec.email` — The email address of the user to invite. - `spec.access.account_access.role` — The account-level role to assign. - `spec.access.namespace_accesses` — A map of Namespace names to permissions. Available roles: `ROLE_ADMIN` | `ROLE_DEVELOPER` | `ROLE_READ` | `ROLE_OWNER` | `ROLE_FINANCE_ADMIN`. Available Namespace permissions: `PERMISSION_ADMIN` | `PERMISSION_WRITE` | `PERMISSION_READ`. The new users receive an email with a link to accept the invitation and complete their setup. The new user must use this link to sign up to be added to your account unless the account has a SAML configuration. If your account has a SAML configuration, the new user can sign in using their existing SAML credentials and be included in the account automatically. > **⚠️ Caution:** > > The new user must use the same authentication method they originally signed up with to sign in to Temporal Cloud. If > they used single sign-on (SSO), they must use the same SSO provider to sign in to Temporal Cloud. If they used email and > password authentication, they must use the same email and password to sign in to Temporal Cloud, and cannot use SSO, > even if the underlying email address is the same. > Global Admin roles cannot assign the Account Owner role or the Finance Admin role to new users they invite to the account. ## Update a user's account-level role With Global Admin or Account Owner privileges, you can update any user's account-level [role](/cloud/manage-access/roles-and-permissions#account-level-roles). The Account Owner role can only be granted by existing Account Owners. For security reasons, you cannot remove the Account Owner role from a user. Removing the Account Owner role must be made through Temporal Support. To remove the Account Owner role, you must submit a [support ticket](https://temporalsupport.zendesk.com/). **Web UI** 1. In Temporal Web UI, select **Settings** in the left portion of the window. 1. On the **Settings** page, select the user. 1. On the user profile page, select **Edit User**. 1. On the **Edit User** page in **Account Level Role**, select the role. 1. Select **Save**. **tcld** Use the [`tcld user set-account-role`](/cloud/tcld/user/#set-account-role) command. Specify the user by email or ID and the new role. Available account roles: `admin` | `developer` | `read`. The Account Owner and Finance Admin roles cannot be assigned through tcld; use the Web UI or Cloud Ops API to assign these roles. ```command tcld user set-account-role --user-email --account-role ``` You can also identify the user by ID: ```command tcld user set-account-role --user-id --account-role ``` **Cloud Ops API** Use the [UpdateUser](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to update a user's account-level role. ``` POST /cloud/users/{userId} ``` The request body includes a `spec` with the user's `access.account_access.role` field set to the desired role. Available roles: `ROLE_OWNER` | `ROLE_ADMIN` | `ROLE_DEVELOPER` | `ROLE_FINANCE_ADMIN` | `ROLE_READ`. ## Update a user's Namespace-level permissions With Account Owner, Global Admin, or Namespace Admin privileges, you can update [Namespace-level permissions](/cloud/manage-access/roles-and-permissions#namespace-level-permissions) for users within Namespaces you administer. Account Owners and Global Admins have Namespace Admin permissions on all Namespaces automatically. **Web UI** **Update a user's permissions across multiple Namespaces:** 1. In Temporal Web UI, select **Namespaces** in the left portion of the window. 1. On the **Namespaces** page, select the Namespace. 1. If necessary, scroll down to the list of permissions. 1. On the user profile page in **Namespace permissions**, select the Namespace. 1. On the Namespace page in **Account Level Role**, select the role. 1. Select **Save**. **Update permissions for multiple users within a single Namespace:** 1. In Temporal Web UI, select **Settings** in the left portion of the window. 1. On the **Settings** page in the **Users** tab, select the user. 1. On the user profile page, select **Edit User**. 1. On the **Edit User** page in **Namespace permissions**, change the permissions for one or more Namespaces. 1. Select **Save**. **tcld** Use the [`tcld user set-namespace-permissions`](/cloud/tcld/user/#set-namespace-permissions) command. Specify the user by email or ID and one or more Namespace permissions. Each permission value must be in the format `namespace=permission-type`. Available Namespace permissions: `Admin` | `Write` | `Read`. ```command tcld user set-namespace-permissions --user-email --namespace-permission = ``` You can set multiple Namespace permissions in a single request: ```command tcld user set-namespace-permissions --user-email \ --namespace-permission ns1=Admin \ --namespace-permission ns2=Write ``` **Cloud Ops API** Use the [SetUserNamespaceAccess](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to set a user's permission for a specific Namespace. ``` POST /cloud/namespaces/{namespace}/users/{userId}/access ``` Set the `access.permission` field to the desired permission. Available permissions: `PERMISSION_ADMIN` | `PERMISSION_WRITE` | `PERMISSION_READ`. ## Delete a user from your Temporal Cloud account With Account Owner or Global Admin privileges, you can delete a user from your Temporal Cloud account. **Web UI** 1. In Temporal Web UI, select **Settings** in the left portion of the window. 1. On the **Settings** page, find the user and, on the right end of the row, select **Delete**. 1. In the **Delete User** dialog, select **Delete**. You can also delete a user in two other ways in Web UI: - User profile page: Select the down arrow next to **Edit User** and then select **Delete**. - **Edit User** page: Select **Delete User**. **tcld** Use the [`tcld user delete`](/cloud/tcld/user/#delete) command. Specify the user by email or ID. ```command tcld user delete --user-email ``` You can also identify the user by ID: ```command tcld user delete --user-id ``` **Cloud Ops API** Use the [DeleteUser](https://saas-api.tmprl.cloud/docs/httpapi.html#tag/users) endpoint to remove a user from your account. ``` DELETE /cloud/users/{userId} ```