Manage Access
An organization is the main Catalyst entity under which a set of Catalyst projects are onboarded.
Every operation on this page — inviting users, assigning roles, and creating or deleting API keys — can also be done from the Catalyst Web UI at catalyst.diagrid.io.
👥User access
Invite administrators, editors, and viewers, and scope permissions to individual projects.
Manage users →🔑Automation
Use API keys to authenticate via non-interactive automation through the Diagrid CLI.
Work with API keys →Manage users and roles
Administrators invite users and assign roles that apply to every project or to specific project scopes.
Invite new users
Use the Diagrid CLI to invite new users:
diagrid product use catalyst
# Example: invite an admin
diagrid user create --email user@gmail.com --name user --role cra.diagrid:admin
# Example: invite a Consumer (developer access to API keys)
diagrid user create --email developer@gmail.com --name developer --role cra.diagrid:apiConsumer
# Example: invite an Operator (full project and subresource CRUD permissions)
diagrid user create --email operator@gmail.com --name operator --role cra.diagrid:apiOperator
Role definitions
Roles in Catalyst define a user's access level within the organization. The four roles are cumulative — each one includes every permission of the role before it and adds more:
- Viewer – Read-only access to projects and their resources. Cannot create or modify anything, and cannot access API keys, App ID credentials, or metering data.
- Consumer – Viewer permissions, plus read access to App ID credentials and metering data, full management of API keys, and the ability to run and manage workflow instances.
- Operator – Consumer permissions, plus the ability to create and update projects, and to create, update, and delete all project resources (App IDs, components, subscriptions, resiliency policies, HTTP endpoints, service accounts, and more). Can list organization users but cannot manage them. Cannot delete projects (Admin only).
- Admin – Operator permissions, plus full control over the organization: deleting projects, managing users and roles, billing and metering, SSO connections, and audit logs.
Roles can be applied at two levels:
- Global roles apply the role's permissions to every project in the organization.
- Scoped roles limit the role's permissions to one or more specific projects.
Permission matrix
The table below shows the access level each role has for every Catalyst resource:
- Full – view, create, edit, and delete
- View – read-only
- None – no access
| Resource | Viewer | Consumer | Operator | Admin |
|---|---|---|---|---|
| Projects | View | View | Create & edit | Full |
| App IDs, components, and configuration 1 | View | View | Full | Full |
| App ID credentials | None | View | View | View |
| Workflow instances 2 | View | Run & manage | Run & manage | Run & manage |
| Service accounts and workload identity | None | None | Full | Full |
| API keys | None | Full | Full | Full |
| Metering data | None | View | View | Full |
| Users and roles | None | None | View | Full |
| Billing and SSO connections | None | None | None | Full |
| Audit logs | None | None | None | View |
| Organization profile | View | View | View | View & edit |
1 Includes pub/sub brokers, KV stores, bindings, subscriptions, resiliency policies, HTTP endpoints, and other components.
2 Run & manage covers scheduling, terminating, pausing, resuming, purging, raising events, and rerunning workflow instances.
Automate operations with API keys
API keys are named tokens with role assignments used for authenticating automation via the Diagrid CLI. After creation, include the token value with the --api-key flag to run commands under that key's permissions. Store the secret safely, for example:
catalyst_api_key=$(cat /secure-folder/diagrid-secret-token)
diagrid appid list --api-key "${catalyst_api_key}"
Refer to the Diagrid CLI reference for additional commands that accept the --api-key flag.
API key secrets are only shown during creation. Copy the token before closing the dialog.
Generate API keys
Create API keys using the Diagrid CLI using the following reference. API responses include the secret token so make sure to copy it immediately because it is only displayed once.
- Global role format:
cra.diagrid:<role>(admin,viewer,apiConsumer, orapiOperator) - Scoped role format:
cra.diagrid:<role>:projects:<project>where<role>is editor or viewer and<projects>represents a comma-separated list of 1+ project(s)
# Global admin key that expires in 24h (86400 seconds)
diagrid apikey create --name my-api-key --role cra.diagrid:admin --duration 86400
# Global API consumer key for automation, expires in 30 days (2,592,000 seconds)
diagrid apikey create --name my-automation-key --role cra.diagrid:apiConsumer --duration 2592000
# Scoped editor key for a specific project, expires in 30 days (2,592,000 seconds)
diagrid project list
diagrid apikeys create --name my-api-key --role cra.diagrid:editor:projects:<project> --duration 2592000
If no expiration period is configured when an API key is generated, the value is set to never (not recommended).
Create API keys from the console
- In the console sidebar, open API Keys.
- Select + Create API Key and provide a unique name.
- Choose an expiration period (avoid
neverunless required). - Assign roles. See Role definitions.
- Select Create, then copy and securely store the token.
Delete API keys
Delete API keys using the Diagrid CLI:
# Find the key ID
diagrid apikeys list
# Delete by ID
diagrid apikeys delete <my-api-key-id>
Delete API keys from the console
- In the console sidebar, open API Keys.
- Locate the key to remove and open the action menu (three dots).
- Select Delete API Key and confirm.