Skip to main content

Manage Access

An organization is the main Catalyst entity under which a set of Catalyst projects are onboarded.

Manage from the Catalyst console

Every operation on this page — inviting users, assigning roles, and creating or deleting API keys — can also be done from the Catalyst Web UI at catalyst.diagrid.io.

👥User access

Invite administrators, editors, and viewers, and scope permissions to individual projects.

Manage users →

🔑Automation

Use API keys to authenticate via non-interactive automation through the Diagrid CLI.

Work with API keys →

Manage users and roles

Administrators invite users and assign roles that apply to every project or to specific project scopes.

Invite new users

Use the Diagrid CLI to invite new users:

diagrid product use catalyst

# Example: invite an admin
diagrid user create --email user@gmail.com --name user --role cra.diagrid:admin

# Example: invite a Consumer (developer access to API keys)
diagrid user create --email developer@gmail.com --name developer --role cra.diagrid:apiConsumer

# Example: invite an Operator (full project and subresource CRUD permissions)
diagrid user create --email operator@gmail.com --name operator --role cra.diagrid:apiOperator

Role definitions

Roles in Catalyst define a user's access level within the organization. The four roles are cumulative — each one includes every permission of the role before it and adds more:

  • Viewer – Read-only access to projects and their resources. Cannot create or modify anything, and cannot access API keys, App ID credentials, or metering data.
  • Consumer – Viewer permissions, plus read access to App ID credentials and metering data, full management of API keys, and the ability to run and manage workflow instances.
  • Operator – Consumer permissions, plus the ability to create and update projects, and to create, update, and delete all project resources (App IDs, components, subscriptions, resiliency policies, HTTP endpoints, service accounts, and more). Can list organization users but cannot manage them. Cannot delete projects (Admin only).
  • Admin – Operator permissions, plus full control over the organization: deleting projects, managing users and roles, billing and metering, SSO connections, and audit logs.

Roles can be applied at two levels:

  • Global roles apply the role's permissions to every project in the organization.
  • Scoped roles limit the role's permissions to one or more specific projects.

Permission matrix

The table below shows the access level each role has for every Catalyst resource:

  • Full – view, create, edit, and delete
  • View – read-only
  • None – no access
ResourceViewerConsumerOperatorAdmin
ProjectsViewViewCreate & editFull
App IDs, components, and configuration 1ViewViewFullFull
App ID credentialsNoneViewViewView
Workflow instances 2ViewRun & manageRun & manageRun & manage
Service accounts and workload identityNoneNoneFullFull
API keysNoneFullFullFull
Metering dataNoneViewViewFull
Users and rolesNoneNoneViewFull
Billing and SSO connectionsNoneNoneNoneFull
Audit logsNoneNoneNoneView
Organization profileViewViewViewView & edit

1 Includes pub/sub brokers, KV stores, bindings, subscriptions, resiliency policies, HTTP endpoints, and other components.

2 Run & manage covers scheduling, terminating, pausing, resuming, purging, raising events, and rerunning workflow instances.

Automate operations with API keys

API keys are named tokens with role assignments used for authenticating automation via the Diagrid CLI. After creation, include the token value with the --api-key flag to run commands under that key's permissions. Store the secret safely, for example:

catalyst_api_key=$(cat /secure-folder/diagrid-secret-token)

diagrid appid list --api-key "${catalyst_api_key}"

Refer to the Diagrid CLI reference for additional commands that accept the --api-key flag.

Important

API key secrets are only shown during creation. Copy the token before closing the dialog.

Generate API keys

Create API keys using the Diagrid CLI using the following reference. API responses include the secret token so make sure to copy it immediately because it is only displayed once.

  • Global role format: cra.diagrid:<role> (admin, viewer, apiConsumer, or apiOperator)
  • Scoped role format: cra.diagrid:<role>:projects:<project> where <role> is editor or viewer and <projects> represents a comma-separated list of 1+ project(s)
# Global admin key that expires in 24h (86400 seconds)
diagrid apikey create --name my-api-key --role cra.diagrid:admin --duration 86400

# Global API consumer key for automation, expires in 30 days (2,592,000 seconds)
diagrid apikey create --name my-automation-key --role cra.diagrid:apiConsumer --duration 2592000

# Scoped editor key for a specific project, expires in 30 days (2,592,000 seconds)
diagrid project list
diagrid apikeys create --name my-api-key --role cra.diagrid:editor:projects:<project> --duration 2592000
info

If no expiration period is configured when an API key is generated, the value is set to never (not recommended).

Create API keys from the console
  1. In the console sidebar, open API Keys.
  2. Select + Create API Key and provide a unique name.
  3. Choose an expiration period (avoid never unless required).
  4. Assign roles. See Role definitions.
  5. Select Create, then copy and securely store the token.

Delete API keys

Delete API keys using the Diagrid CLI:

# Find the key ID
diagrid apikeys list

# Delete by ID
diagrid apikeys delete <my-api-key-id>
Delete API keys from the console
  1. In the console sidebar, open API Keys.
  2. Locate the key to remove and open the action menu (three dots).
  3. Select Delete API Key and confirm.