Appearance
Internal Users
The Internal Users page is for managing platform operators — Infra Ops, Account Managers, QA Admins, and Platform Admins. See Roles & Permissions for what each role can do.
List page
Toolbar
The search bar is token-aware. Type free text to search across name and email, or use any of these tokens:
status:active,status:invited,status:deactivated— multi-choice.role:infra_ops,role:account_manager,role:qa_admin,role:platform_admin— multi-choice.customer:<customer>— filter by granted customer. Autocomplete.instance:<instance>— filter by granted instance. Autocomplete.
Negation works too: !status:deactivated excludes deactivated users.
The placeholder shows an example: Search — try role:account_manager customer:Acme.
Columns
| Column | Notes |
|---|---|
| Name | Clickable link to user detail. |
| Roles | Comma-separated list. Truncates with full list on hover. |
| Scope | Compact chips with C: for customer grants and I: for instance grants. Up to two visible; a "+N more" popover shows the rest. |
| Status | Active / Invited / Deactivated. |
| Actions | Row-level icons. |
Row actions
| Action | Available when | Behaviour |
|---|---|---|
| Resend Invite (envelope) | Status is invited | Confirms and resends the welcome email. |
| Deactivate (power) | Status is active | Confirms and revokes access immediately. |
Creating a new user
Screenshot
Create user form (QA Admin selected): the profile fields, the role checkbox group with QA Admin checked, plus both Customer Scope and Instance Scope pickers visible.
Click Add User. The form has three sections.
Profile
- First name (required).
- Last name (optional).
- Email (required) — the invite email goes here. The user signs in via SSO and lands in the Console after accepting.
Roles
A checkbox group. Pick one or more. Picking Account Manager or QA Admin reveals the Customer Scope picker below. Picking QA Admin also reveals an Instance Scope picker.
Scope
- Customer Scope — appears for Account Manager / QA Admin. Pick the customers this user can read and operate on. An empty scope means no access — you must grant at least one customer.
- Instance Scope — appears for QA Admin. Pick the instances they can act on. Customer scope and instance scope are combined at query time.
Click Create user. An invite email is sent and the user appears in the list as invited.
User detail page
The detail page has read-only profile info and editable role and scope sections.
Profile (read-only)
- Roles summary.
- Last login (or "Never").
- Created date.
- IDP User ID (last 8 chars).
Roles (editable)
Same checkbox group as the create page. Edit locally then click Save (or Discard to revert). Scope sections respect the server-side role set — opening/closing scope pickers does not require saving the role change first.
Customer scope / Instance scope (editable)
Individual grant/revoke toggles. Changes apply immediately — there is no batched save here.
Notifications (read-only)
Grouped by category — Operations, Discrepancies, Billing, Infrastructure, General. Each row shows the event, a description, a "Required" tag (if compliance-enforced), and dots for in-app and email subscriptions.
This view is read-only — users manage their own subscriptions on their Account page.
Account actions
- Resend Invite — if the user is
invited. - Deactivate User — if the user is
active. The confirmation modal warns "They'll lose access immediately."
After deactivation the page returns to the list.
Notes
- Customer and instance dropdowns load lazily — they only fetch when you open them, keeping the list page snappy for operators who do not search by scope.
- Role edits are local until you click Save. Scope edits apply immediately.
- Reactivating a deactivated user is not a button on this page — you cannot "un-deactivate" by reopening the user. If a user needs to come back, recreate them.

