Skip to content

Internal Users

The Internal Users page is for managing platform operators — Infra Ops, Account Managers, QA Admins, and Platform Admins. See Roles & Permissions for what each role can do.

List page

Toolbar

The search bar is token-aware. Type free text to search across name and email, or use any of these tokens:

  • status:active, status:invited, status:deactivated — multi-choice.
  • role:infra_ops, role:account_manager, role:qa_admin, role:platform_admin — multi-choice.
  • customer:<customer> — filter by granted customer. Autocomplete.
  • instance:<instance> — filter by granted instance. Autocomplete.

Negation works too: !status:deactivated excludes deactivated users.

The placeholder shows an example: Search — try role:account_manager customer:Acme.

Columns

ColumnNotes
NameClickable link to user detail.
Email
RolesComma-separated list. Truncates with full list on hover.
ScopeCompact chips with C: for customer grants and I: for instance grants. Up to two visible; a "+N more" popover shows the rest.
StatusActive / Invited / Deactivated.
ActionsRow-level icons.

Row actions

ActionAvailable whenBehaviour
Resend Invite (envelope)Status is invitedConfirms and resends the welcome email.
Deactivate (power)Status is activeConfirms and revokes access immediately.

Creating a new user

Screenshot

Create user form (QA Admin selected): the profile fields, the role checkbox group with QA Admin checked, plus both Customer Scope and Instance Scope pickers visible.

Click Add User. The form has three sections.

Profile

  • First name (required).
  • Last name (optional).
  • Email (required) — the invite email goes here. The user signs in via SSO and lands in the Console after accepting.

Roles

A checkbox group. Pick one or more. Picking Account Manager or QA Admin reveals the Customer Scope picker below. Picking QA Admin also reveals an Instance Scope picker.

Scope

  • Customer Scope — appears for Account Manager / QA Admin. Pick the customers this user can read and operate on. An empty scope means no access — you must grant at least one customer.
  • Instance Scope — appears for QA Admin. Pick the instances they can act on. Customer scope and instance scope are combined at query time.

Click Create user. An invite email is sent and the user appears in the list as invited.

User detail page

The detail page has read-only profile info and editable role and scope sections.

Profile (read-only)

  • Roles summary.
  • Last login (or "Never").
  • Created date.
  • IDP User ID (last 8 chars).

Roles (editable)

Same checkbox group as the create page. Edit locally then click Save (or Discard to revert). Scope sections respect the server-side role set — opening/closing scope pickers does not require saving the role change first.

Customer scope / Instance scope (editable)

Individual grant/revoke toggles. Changes apply immediately — there is no batched save here.

Notifications (read-only)

Grouped by category — Operations, Discrepancies, Billing, Infrastructure, General. Each row shows the event, a description, a "Required" tag (if compliance-enforced), and dots for in-app and email subscriptions.

This view is read-only — users manage their own subscriptions on their Account page.

Account actions

  • Resend Invite — if the user is invited.
  • Deactivate User — if the user is active. The confirmation modal warns "They'll lose access immediately."

After deactivation the page returns to the list.

Notes

  • Customer and instance dropdowns load lazily — they only fetch when you open them, keeping the list page snappy for operators who do not search by scope.
  • Role edits are local until you click Save. Scope edits apply immediately.
  • Reactivating a deactivated user is not a button on this page — you cannot "un-deactivate" by reopening the user. If a user needs to come back, recreate them.