Groundfloor Docs

Members & Roles

Add, view, and revoke members at account or workspace scope with ReBAC roles.

Members & Roles controls who can access your account and workspaces. Permissions are enforced by SpiceDB ReBAC — roles map to actions like read, write, administer, and manage_members.

Pillar #4· Roles & Permissions✅ Live

Who can access

ActionRequired permission
View membersread on the scope
Add a membermanage_members on the scope
Revoke a membermanage_members on the scope

Prerequisites

  • Signed in with access to at least one account or workspace
  • manage_members on the scope where you want to add or remove people

Available roles

RoleTypical useAccountWorkspace
OwnerFull control
AdminManage resources and members
WriterRead + write data, no admin
MemberRead-only member
PartnerRead-only external collaborator
Billing adminBilling visibility

Actual permissions are enforced per-action (read, write, delete, ddl, deploy, manage_members, view_billing) — not by role name alone.

View members

Open Members & Roles

In the sidebar under Administer, click Members & Roles.

Choose a scope

Use the Scope selector to pick Account or Workspace, then select the specific account or workspace from the dropdown.

Review the table

The table shows each member's User ID, Email, Role, and Added date.

Add a member

Click Add member

With the correct scope selected, click Add member.

Enter user ID and role

Provide the user's Portal user ID (from Keycloak sub or Settings page) and select a role. For account scope, billing admin is available.

Confirm

The new member appears in the table and gains ReBAC permissions immediately.

Email-based invite flows are operator-driven in production (POST /v1/admin/accounts with owner email). The portal add-member flow uses an existing user ID.

Revoke a member

Click the Remove (trash) icon on a member row. Confirm in the dialog. Revocation is immediate and audited.

Troubleshooting

ProblemLikely causeWhat to do
Add member button missingNo manage_membersAsk an owner or admin
User not foundUser hasn't signed in yetUser must exist in Keycloak; operator can pre-provision
Member still has access after revokeSpiceDB eventual consistencyWait a few seconds; check Activity Log
  • GET /v1/scopes/{scope_type}/{scope_id}/members — list members
  • POST /v1/scopes/{scope_type}/{scope_id}/members — add member
  • DELETE /v1/memberships/{membership_id} — revoke

See Core concepts for the ReBAC action vocabulary.

Users

View your profile and account memberships in the Customer Portal Settings page.

Data Vault

Browse collections, query records, and manage schema in workspace-scoped customer data.

On this page

Who can accessPrerequisitesAvailable rolesView membersOpen Members & RolesChoose a scopeReview the tableAdd a memberClick Add memberEnter user ID and roleConfirmRevoke a memberTroubleshootingRelated API