Skip to main content

Users

The Users panel is where you manage who belongs to the team and what they can do. It has two tabs:
  • Members — people who have already accepted an invitation.
  • Invitations — pending invites that have not been accepted yet.
Open it from Team settings → Users.

Members

The Members tab lists every active user on the team. For each row you see:
ColumnWhat it shows
UserAvatar, name, and email.
RoleThe team role (Owner / Admin / Member). See Team roles.
Product accessWhich products the user can open — All products, or a specific subset (TrustGate, TrustTest, …).
The row actions let you rotate per-product access, reset the user’s local password (if password login is still enabled), and remove the user from the team. The top of the tab exposes:
  • Search by name or email — substring match against the user list.
  • Role dropdown — narrow to Owners, Admins, or Members.
The right-hand counter (for example 31 members) reflects the total after filters.

Invite a new member

  1. Click Invite New Member.
  2. Enter the invitee’s email address.
  3. Pick the team role for the account.
  4. Pick the products the invitee should have access to (or All products).
  5. Send.
The invitation is added to the Invitations tab and the recipient gets an email with a sign-up link. When they accept, they move to Members.
If the team enforces SSO, the invitee must sign up through the identity provider you configured. If SCIM is enabled on Microsoft Entra ID, most users should be provisioned automatically and you won’t need to invite them manually — see SCIM.

Invitations

The Invitations tab lists every invite that hasn’t been accepted yet. For each pending invite you can:
  • Resend — fire off the invitation email again (useful when it was missed or the link expired).
  • Copy invite link — paste the link into Slack / email if the recipient never received the automated email.
  • Revoke — cancel the invitation. The link stops working immediately.
Invitations expire after a period of inactivity. Revoking and re-inviting is always safe.

Team roles

A team role is tenant-wide and gates access to Team Settings itself. It is separate from per-product roles (every product — TrustGate, TrustTest, … — has its own role model).
RoleTeam SettingsUsers & invitationsSSO / Password / Audit / SIEMDelete team
OwnerFull accessFull accessFull accessYes
AdminFull access except SSO enforcement, SCIM tokens, break-glass, team deletionInvite, revoke, change roleRead & configureNo
MemberNot visibleOwn profile onlyNoNo
A team needs at least one Owner. The UI will refuse to demote the last Owner — transfer ownership first.

Product access

Even if the team has access to multiple products, individual users can be scoped to a subset:
  • All products — can open every product provisioned on the team.
  • Specific products — can only open the products listed (for example TrustGate only, TrustTest only, or a combination).
Changing product access does not change the user’s team role — a team Admin restricted to TrustGate is still a team Admin, they just can’t open the other products’ consoles. Product-level permissions (what they can do inside a product) are managed inside each product’s own role system.

Removing a user

Removing a user from Members immediately:
  • Revokes all active sessions.
  • Stops any API key tied to that user from authenticating.
  • Leaves past audit events intact — actor.email still reflects the original user.
If the user was provisioned by SCIM, they’ll be re-created the next time your identity provider syncs unless you also remove them from the upstream group. For SCIM-managed teams, deprovision in the IdP, not here.