Appearance
Team Management
Collaborate effectively with your team while maintaining strict security controls through role-based access and automated workflows. Noorle's team management system enables organizations to work together seamlessly on AI-powered projects, manage access to resources, and automate workflows with service accounts — all within a secure, isolated environment.
Core Concepts
Principals
Noorle uses a unified Principal system to represent all identities that can access an account:
- User (Person/Human): Team members who access via the console.
- ServicePrincipal (Machine): Service accounts for programmatic/API access.
Accounts
- Each account represents an organization or team.
- Currently, each user can only belong to one account.
- Future roadmap: support for multi-tenancy (users belonging to multiple accounts).
Roles and Permissions
Each principal in an account is assigned one of four roles. Roles define baseline permissions:
- Owner – Full account control, including managing users, service accounts, and resources.
- Admin – Can manage users and resources, but does not have billing control.
- Member – Standard access to use resources. Cannot delete critical resources.
- Restricted – Limited access. Useful for temporarily disabling access without deleting the principal.
Roles vs. Capabilities
| Capability | Owner | Admin | Member | Restricted |
|---|---|---|---|---|
| Manage billing | ✅ | ❌ | ❌ | ❌ |
| Manage users (invite, edit, deactivate) | ✅ | ✅ | ❌ | ❌ |
| Manage service accounts | ✅ | ✅ | ❌ | ❌ |
| Access resources (read/write) | ✅ | ✅ | ✅ | ❌ |
| Delete critical resources | ✅ | ✅ | ❌ | ❌ |
| Temporary account disable | N/A | N/A | N/A | ✅ (disabled) |
Adding Team Members
Manual User Creation
Account administrators can add team members manually through the settings interface:
- Navigate to Account Settings → Users.
- Click "Invite User."
- Enter the user details such as Name, Email, and Role.
- Optionally, send a welcome email with sign-in instructions.
Onboarding Process
The onboarding flow ensures secure access control:
- Admin Creates User – Account admin creates the profile in the account.
- Welcome Email (optional) – User receives a link with sign-in instructions.
- Account Membership – User becomes an active member with their assigned role.
Service Account Management
- Create and manage service principals for API/programmatic access.
- Assign baseline roles.
- Grant fine-grained permissions using AccessGrants for resource-level control.
Permissions Enforcement
Authorization is enforced through two layers:
- Role-Based Access Control (RBAC): Defines baseline permissions for all principals.
- AccessGrants (Service Accounts only): Add resource-level, fine-grained permissions.
Next Steps
- Service Accounts - Set up programmatic access
- API Keys - Manage authentication tokens
- MCP Gateway - Configure your gateway