User Management

Users are individuals who access the Atlas Auth Guard system via Google OAuth authentication.

User Lifecycle

How Users Get Access

┌─────────────────────────────────────────────────────────────────────────────┐
│                        USER ONBOARDING FLOW                                  │
└─────────────────────────────────────────────────────────────────────────────┘

  ┌─────────────────────────────────────────────────────────────────────────┐
  │ STEP 1: INVITATION                                                       │
  │                                                                          │
  │  Admin invites user via email                                            │
  │  • User record created with status: "invited"                            │
  │  • User assigned to a team with role                                     │
  │  • User optionally assigned to projects                                  │
  │                                                                          │
  └─────────────────────────────────────────────────────────────────────────┘


  ┌─────────────────────────────────────────────────────────────────────────┐
  │ STEP 2: FIRST LOGIN                                                      │
  │                                                                          │
  │  User clicks "Sign in with Google"                                       │
  │  • Google OAuth authentication                                           │
  │  • Auth Guard verifies email domain (@turing.com)                        │
  │  • Auth Guard looks up user by email                                     │
  │  • User found with status "invited" → Change to "active"                 │
  │  • Generate JWT with user context                                        │
  │                                                                          │
  └─────────────────────────────────────────────────────────────────────────┘


  ┌─────────────────────────────────────────────────────────────────────────┐
  │ STEP 3: ACTIVE USER                                                      │
  │                                                                          │
  │  User can now:                                                           │
  │  • Access teams they're assigned to                                      │
  │  • Access projects they're assigned to                                   │
  │  • Execute services allowed by team policy                               │
  │  • Use the admin dashboard                                               │
  │                                                                          │
  └─────────────────────────────────────────────────────────────────────────┘

User Status

Status
Description
Can Login?
Effect

invited

User has been invited but hasn't logged in yet

✅ Yes

Activates on first login

active

Normal active user

✅ Yes

Full access per roles

suspended

Temporarily disabled

❌ No

Cannot login, existing sessions expire

disabled

Permanently disabled

❌ No

Cannot login, account locked

Global Roles

Every user has a global role that defines their base level of access across the platform.

super_admin

The highest level of access - platform administrators.

org_admin

Organization-level administrators.

member

Basic organization member - the default role.

Effective Role Calculation

When a user accesses a resource, their effective role determines what they can do. The system uses the most specific role that applies.

Precedence Order

Examples

User
Global
Team Role
Project Role
Accessing Project X
Effective Role

Alice

super_admin

-

-

Any project

super_admin

Bob

super_admin

team_member

-

Project in that team

team_member

Carol

super_admin

team_admin

viewer

Project X

viewer

Dave

member

team_admin

-

Project in that team

team_admin

Eve

member

team_member

editor

Project X

editor

Frank

org_admin

-

-

Any project in org

org_admin

Key Insight

Global roles bypass ACCESS CHECKS but don't override EXPLICIT ROLE ASSIGNMENTS.

  • super_admin can access any resource (bypasses team policy, membership checks)

  • But if super_admin has viewer role on a project, their effective role is viewer

  • This allows restricting sensitive projects even from admins

Permissions

Permissions are the specific actions a user can perform. They're derived from the effective role.

Permission List

Permission
Description

read:org

View organization details

write:org

Update organization settings

read:team

View team details

write:team

Create/update teams

delete:team

Delete teams

manage:team_users

Add/remove team members

read:project

View project details

write:project

Create/update projects

delete:project

Delete projects

manage:project_users

Add/remove project members

execute:services

Call backend services

read:api_keys

View API keys

write:api_keys

Create API keys

delete:api_keys

Revoke API keys

read:routes

View service routes

write:routes

Manage service routes

read:policies

View service policies

write:policies

Manage service policies

Role → Permission Matrix

Permission
super_admin
org_admin
team_admin
team_member
project_admin
editor
viewer

read:org

write:org

read:team

write:team

delete:team

manage:team_users

read:project

write:project

delete:project

manage:project_users

execute:services

read:api_keys

write:api_keys

delete:api_keys

read:routes

write:routes

read:policies

write:policies

JWT Token

After login, users receive a JWT token containing their context:

Token Expiration

Token Type
Expiration
Use Case

Access Token

24 hours

API requests

Refresh Token

30 days

Get new access token

Admin Dashboard Features

Access user management at: /admin/users

User List View

Column
Description

Name

User's display name

Email

User's email address

Global Role

super_admin, org_admin, or member

Status

active, invited, suspended, disabled

Teams

Number of team memberships

Last Login

Last login timestamp

User Actions

Action
Description

Invite User

Send invitation to new user

Edit User

Change global role, status

View Memberships

See user's teams and projects

Suspend User

Temporarily disable access

Assign to Team

Add user to a team

Common Scenarios

Scenario 1: Inviting a New User

Scenario 2: Promoting User to Org Admin

Scenario 3: Suspending a User

Scenario 4: User Leaves the Organization

Best Practices

Role Assignment

Practice
Reason

Start with member

Add privileges as needed

Few org_admins

2-3 per organization

Very few super_admins

Platform team only

Use team/project roles

More granular than global

Security

Practice
Reason

Prompt offboarding

Suspend immediately when employees leave

Regular audits

Review user list quarterly

Monitor failed logins

Detect suspicious activity

Review org_admin grants

Ensure they're still needed

Troubleshooting

"Account is suspended"

Error: 403 Forbidden: Account is suspended. Please contact administrator.

Cause: User status is suspended or disabled.

Solution: Admin must change status to active in User Management.

"You are not authorized"

Error: 403 Forbidden: You are not authorized to access this resource

Cause: User doesn't exist in the system or isn't invited.

Solution: Admin must invite the user first.

"Insufficient permissions"

Error: 403 Forbidden: Insufficient permissions

Cause: User's effective role doesn't have the required permission.

Solution:

  1. Check what permission is needed

  2. Assign appropriate role at team or project level

  3. Or elevate global role if appropriate

"Invalid or expired token"

Error: 401 Unauthorized: Invalid or expired token

Cause: JWT has expired or is malformed.

Solution: User should re-login to get a fresh token.

PreviousProject ManagementNextAPI Keys

Last updated