Users & RBAC

Manage user accounts, roles, and tenant memberships.

Overview

Umoo uses role-based access control (RBAC). Users are global (not tenant-specific), but their roles are scoped per tenant. A user can have different roles in different tenants.

JWT tokens contain only the user ID. The active tenant context is passed via the X-Tenant-ID header, and permissions are evaluated against the user's role in that tenant.

RBAC Role Hierarchy

Role	Inherits	Description
`viewer`	—	Read-only access to devices, events, metrics
`operator`	viewer	Manage devices, trigger rollouts, open terminals
`tenant_admin`	operator	Manage users, apps, network subnets, alert rules
`super_admin`	tenant_admin	Platform-wide: manage tenants, quotas, all users

Note: super_admin is a platform-level flag set directly in the users table. All other roles are per-tenant assignments.

User List

Navigate to Users to see all users in your tenant.

Columns: Username, Display Name, Email, Role, Last Login.

Filter by Role.

Creating a User

Click + Create User.
Fill in:
- Email (required, unique)
- Username (optional, unique)
- Display Name (shown in the UI)
- Phone (optional)
- Password (required)
- Role — role in this tenant
Click Create.

The user is created and added to the current tenant with the selected role.

Inviting a User

To invite an existing user or an email address that hasn't registered yet:

Click Invite User (if visible for your role).
Enter the email address.
An invite token is generated and sent (or displayed).
The invitee navigates to /api/v1/invite/redeem with the token to set their password and join the tenant.

Changing a User's Role

Click the ⋮ menu on a user row → Change Role.
Select the new role.
Click Save.

Role changes take effect on the user's next API request.

Suspending / Activating a User

Suspend — prevents the user from logging in without deleting their account.
Activate — re-enables a suspended account.

Click the ⋮ menu → Suspend or Activate.

Custom Roles

Navigate to Users → Roles to define custom roles with fine-grained permissions.

Creating a Custom Role

Click + Create Role.
Enter a Role Name.
Click Create.

Assigning Permissions

Open the role, click Update Permissions, and select from the available permissions table (resource + action pairs).

Available permissions are seeded by platform plugins (e.g. terminal/session:open, terminal/session:read).

Permission Format

Permissions follow the format: {plugin-id}/{subresource}:{action}

Examples:

terminal/session:open — open a terminal session
terminal/session:read — list terminal sessions

API Key Roles

API keys are assigned a role at creation time. The key inherits all permissions of that role for the current tenant. See Settings → API Keys.

Users & RBAC ​

Overview ​

RBAC Role Hierarchy ​

User List ​

Creating a User ​

Inviting a User ​

Changing a User's Role ​

Suspending / Activating a User ​

Custom Roles ​

Creating a Custom Role ​

Assigning Permissions ​

Permission Format ​

API Key Roles ​