User-management actions require the
admins:manage_application_administrators permission. Every read and write
operation is limited to the organization in the authenticated session.Access model
| Layer | What it controls |
|---|---|
| Organization membership | Whether the user has an active, pending, or inactive membership. |
| Role | The default access profile assigned when the invitation is sent. |
| Owner permissions | Organization-level capabilities such as application, API key, report, and team administration. |
| Application assignments | The applications the member can access and the permissions available in each one. |
| Access expiry | An optional end time for temporary or external access. |
Roles
The current invitation model accepts two member roles:| Role | Default access |
|---|---|
| Application Administrator | Common, administrator, and auditor permission groups for assigned applications. |
| Application Auditor | Common and auditor permission groups for assigned applications. No administrator permissions are granted by default. |
Invite a member
Select a role
Choose Application Administrator or Application Auditor. The role is
applied when the invitation is created.
Define the application scope
Select the applications the member needs and configure the permission
groups for each assignment.
Set the access period
Use permanent access for continuing internal responsibilities or set an
expiry timestamp for temporary access. External reviewers should receive
time-limited access.
Permission groups
Permissions are grouped by responsibility and stored separately for each application assignment.| Group | Available permissions |
|---|---|
| Common | View the application activity log (logs:view_activity). |
| Administrator | Approve case creation and edit cases (cases:approve_creation, cases:edit). |
| Auditor | Create cases, withdraw pending requests, view report transactions, and create, list, or download reports. |
- create and read applications;
- view organization activity;
- manage application administrators;
- manage API keys;
- create, list, and download organization reports.
Assign organization-level owner permissions only when the member needs to
administer the organization itself. Application work should normally use
application-scoped assignments.
Review the team
The organization team list combines membership status with Arcane access metadata. It includes:- member name, email, organization, and role;
- membership and access status;
- organization-wide access indicator;
- assigned applications;
- permission groups;
- access expiry and last recorded activity.
Access statuses
| Status | Meaning |
|---|---|
Pending | The invitation has been sent, but the organization membership is not active yet. |
Active | The organization membership is active and the assigned access has not expired. |
Expiring Soon | Time-limited access expires within 30 days. The membership can still be active. |
Suspended | The organization membership is inactive and organization access is blocked. |
Expired | The configured access expiry has passed. Arcane treats the access as inactive. |
Review and change access
Open a member to review organization-level owner permissions and every application assignment. For an existing member, an authorized administrator can:- update organization-level owner permissions;
- add or update permissions for one application;
- remove access to one application without changing other assignments;
- update the same permission groups across existing application assignments;
- extend access that is already time-limited;
- suspend or reactivate the organization membership.
Only time-limited access can be extended. Permanent access has no expiry to
extend.
Suspend or reactivate a member
Suspension deactivates the organization membership and blocks access to the organization. It is broader than removing a single application assignment. The platform prevents an administrator from suspending their own membership. Use Reactivate Access to restore an inactive membership when access should resume. The platform does not expose a permanent member-deletion operation. Use suspension for organization-wide access removal and remove individual application assignments when only a narrower scope must be revoked.Audit history
The platform records the following user-management events:- member or external auditor invited;
- member suspended or reactivated;
- time-limited access extended;
- organization or application permissions updated.
Next steps
Application management
Create application boundaries before assigning application-scoped access.