Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.compartment.dev/llms.txt

Use this file to discover all available pages before exploring further.

Every person who needs access to your Compartment organization must be invited and assigned a role. Roles determine what a user can see and do. Compartment provides four built-in roles that cover the most common access patterns, from full administrative control down to read-only visibility.

Roles and permissions

RoleWhat they can do
adminFull access: manage users, configure SSO, change organization settings, deploy and manage all projects
deployerDeploy and manage projects and services; cannot manage users, SSO, or organization settings
readonlyView projects and deployments; cannot see sensitive variable values or make changes
viewerRead-only access with a narrower scope than readonly
Roles are hierarchical. admin has all the permissions of deployer, which has all the permissions of readonly, and so on. You cannot grant a subset of permissions within a role.

Choosing a role

Assign admin to organization owners and platform engineers who need to:
  • invite and remove users
  • configure SSO providers
  • change organization-level settings
  • manage all projects and deployments
compartment role grant user@example.com admin

Invite a user

1

Run the invite command

Provide the user’s email address and the role you want to assign:
compartment user invite <email> --role <role>
For example, to invite a deployer:
compartment user invite deploy@example.com --role deployer
2

Share the activation URL

If the email address is not already associated with a Compartment account, the CLI prints an activation URL:
Invited deploy@example.com as deployer.
Activation URL: https://your-compartment-host/activate?token=...
Invitation expires at: 2026-05-01T12:00:00Z
Send this URL to the new user. They must complete activation before they can log in. If the user already has an account, no activation URL is generated and they gain access immediately.
Activation URLs are single-use and time-limited. If the invitation expires before the user activates their account, remove the user and invite them again to generate a fresh URL.

List users

To see all members of your current organization and their status: 
compartment user list
Each row shows the user’s email address, role, and status. A user’s status is either active (they have logged in at least once) or invited (they have not yet activated their account).

Grant or change a role

To update a user’s role after they have been invited: 
compartment role grant <email> <role>
For example, to promote a readonly user to deployer: 
compartment role grant user@example.com deployer
You can only grant roles up to your own permission level. A deployer cannot grant the admin role.

Remove a user

To revoke a user’s access to the current organization: 
compartment user remove <email>
For example: 
compartment user remove former-colleague@example.com
Removing a user is immediate. They lose access to all projects and resources in the organization.
You cannot remove the last admin of an organization. Ensure at least one other admin exists before removing your own access.