Truefoundry makes it easy to add other members of your organization to the platform and provides role-based access control to manage the access to the resources. This guide talks about how to invite and manage users, teams, virtual accounts and manage access tokens. To understand the different roles and permissions to resources in TrueFoundry, you can read here.Truefoundry has three primary user entities:
Users - These are the individuals who have access to the platform. They have a unique email address, and can be deactivated if the employee leaves the organization.
Users can only be deactivated, not deleted. This is to ensure that the user’s activity log is still maintained on the platform. If an employee created a resource and then left, you will be able to see when and who created the resource.
Teams - These are groups of users which can be added together to a resource. For example, you can add a team as a viewer to a cluster, admin to a workspace, etc. Using teams, you can just grant access of resources to the team and then just manage the members within the team.
Virtual Accounts - Virtual accounts are not mapped to any user. They can be created by admins to provide access to resources for applications / code. For e.g., if your code wants to access a Truefoundry API or model in the AI Gateway layer, it will need a valid token to access the API. In this case, we should not provide a user token, since it will be deactivated if the user leaves the organization.
To enable your team members to join the platform, you can either setup SSO with your Identity Provider (IdP) or invite them manually. To setup SSO, you can read here.
We recommend setting up SSO since its more secure and also makes it easier to manage users.
To invite users manually, go to Platform → Access.Click on the Invite User button. Enter the user’s email address in the prompt.
If SSO is enabled for your organization, make sure to uncheck the “Send email to set password” checkbox. This ensures users sign in via SSO instead of setting a password manually.
After sending the invite:
The user will appear under the Users tab.
If you see a tag labelled Invite Pending or Registration Pending, it means the user has not yet completed the login process or accessed the platform.
Here are a few common actions you can perform on a user:
Make user a tenant-admin
There are two top level roles in Truefoundry:
Admins - Admins hold the highest level of access and are responsible for managing the overall TrueFoundry platform. They have full control over all resources, including users, clusters, and workspaces. Usually there should be only a few admins in an organization.
Members - These are general users of the platform. Members, by default, don’t have access to any resources and need to be explicitly granted access to resources.
The role associated with a user can only be modified by Admins.
Deactivate User
Admins can deactivate a user’s account. This will prevent the user from logging in to the platform.
Reset Password for a user
Admins can initiate a password reset process for a user. This will send an email to the user with a link to reset their password.
It might get cumbersome to add each individual user to each resource repeatedly. To solve this problem, we have the concept of teams using which you can add a team to a resource and then add or remove members from the team.To create a team in TrueFoundry, follow these steps: