'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Members, roles, invites, and authentication providers
This page covers who can do what inside an organization: memberships, invitations, custom roles, and optional enterprise login configuration.
Memberships
A membership links an account to an organization and assigns roles.
- Removing all roles does not necessarily remove membership — behavior depends on product rules; treat role assignment as the source of capability.
- Members only see projects they have permission to read (project list may filter).
Typical admin tasks
- Invite a colleague by email.
- Assign owner / admin / member style roles (exact names depend on your deployment’s seed roles).
- Revoke access when someone leaves.
Invitations
Invites are pending memberships: a user receives a link or email, accepts, and becomes a member with the pre-assigned roles.
Good practices
- Use least privilege — start with read-only on production projects.
- Separate billing admin from infrastructure admin where possible.
Roles and permission keys
Loopback’s authorization model is resource-scoped:
- Organization resources (billing, domains, bundle repos, notification channels, …).
- Project resources (object storage, project load balancers, DNS zones, monitoring, …).
- Workspace resources (hosts, kubeconfig, Kubernetes API proxy, agent tokens, workspace load balancers, scaling groups, …).
A role is a named collection of allow rules on these permission keys (e.g. project.workspace, project.workspace.host, project.workspace.kubernetes.kubeconf).
Customer-visible effect
- Two “Admin” users might differ if one’s role omits kubeconfig download or host create.
- Custom roles let you model SRE, Finance, Read-only auditor.
Full key list in human language: Access control & permissions.
Authentication providers (organization IdP)
Organizations can configure authentication providers so users sign in to Loopback with corporate IdP (OIDC/SAML patterns depending on product version).
Not the same as Kubernetes OIDC
- Loopback login — access to the Loopback UI/API as a person.
- Kubernetes OIDC — access to
kubectlagainst your cluster’s API server usingkubectl oidc-login(configured during cluster provisioning).
You may need both: IdP for the portal, and group claims mapped for cluster RBAC.