Permission Hierarchy
Orchard uses a two-level permission system:Organization Roles
| Role | Description | Permissions |
|---|---|---|
| Owner | Full organization control | All permissions, including deletion |
| Admin | Organization management | Manage members, settings, workspaces |
| Member | Basic membership | Access invited workspaces only |
Organization members must be explicitly invited to workspaces. Being an organization member doesn’t automatically grant workspace access (except for admins and owners).
Workspace Roles
| Role | Description | Permissions |
|---|---|---|
| Admin | Full workspace control | Manage members, all projects, settings |
| Editor | Active contributor | Create, modify, delete deployments |
| Viewer | Read-only access | View deployments, logs, and settings |
Inviting to an Organization
1
Navigate to your organization
Open the organization you want to manage.
2
Go to Members
Click on Members or Settings → Members.
3
Click 'Invite Member'
Click the invite button.
4
Enter details
- Email: The person’s email address
- Role: Choose Owner, Admin, or Member
5
Send invitation
Click Invite. They’ll receive an email with a link to join.
Invitation Expiry
Organization invitations expire after 7 days. If an invitation expires:- Go to the pending invitations list
- Click Resend to send a new invitation
Pending Invitations
You can view and manage pending invitations:- View pending: See all invitations that haven’t been accepted
- Resend: Send a new email for expired or missed invitations
- Cancel: Revoke an invitation before it’s accepted
Inviting to a Workspace
1
Navigate to your workspace
Open the workspace you want to manage.
2
Go to Members
Click on Members in the workspace settings.
3
Invite a member
Select an organization member or enter an email address.
4
Choose a role
Select Admin, Editor, or Viewer.
5
Send invitation
The member will be notified and can access the workspace immediately.
Accepting Invitations
From Email
1
Check your email
Open the invitation email from Orchard.
2
Click 'Accept Invitation'
Click the link in the email.
3
Sign in or create account
If you don’t have an Orchard account, you’ll be prompted to create one.
4
Access granted
You’ll be redirected to the organization or workspace.
From Dashboard
If you’re already signed in and have pending invitations:1
View pending invitations
A modal will appear showing your pending invitations when you log in.
2
Review invitation details
See who invited you and what role you’ll have.
3
Accept or decline
Click Accept to join or Decline to reject the invitation.
Managing Members
Changing Roles
To change a member’s role:1
Go to Members
Open the organization or workspace member list.
2
Find the member
Locate the member whose role you want to change.
3
Update role
Click on their current role and select a new one.
Removing Members
To remove a member:1
Go to Members
Open the organization or workspace member list.
2
Find the member
Locate the member you want to remove.
3
Remove
Click the remove button and confirm.
Removing a member from an organization also removes them from all workspaces in that organization.
Permission Details
What Each Role Can Do
- Organization Owner
- Organization Admin
- Organization Member
- Workspace Admin
- Workspace Editor
- Workspace Viewer
- All admin permissions
- Delete the organization
- Transfer ownership
- Cannot be removed
Transfer Ownership
To transfer organization ownership:1
Go to organization settings
Navigate to Settings → Danger Zone.
2
Transfer ownership
Click Transfer Ownership.
3
Select new owner
Choose an admin to become the new owner.
4
Confirm
Confirm the transfer. You’ll be demoted to admin.
Best Practices
Use least privilege
Use least privilege
Give members the minimum role needed for their tasks. Start with Viewer and upgrade as needed.
Separate environments
Separate environments
Use different workspaces for production and staging. Give broader access to staging and restrict production.
Review access regularly
Review access regularly
Periodically review member lists and remove people who no longer need access.
Use descriptive workspace names
Use descriptive workspace names
Name workspaces clearly (Production, Staging, Development) so access decisions are obvious.
Document role assignments
Document role assignments
Keep a record of why certain people have elevated access for audit purposes.
Email Notifications
Members receive email notifications for:- Organization invitations
- Workspace invitations
- Role changes
- Removal from organization or workspace
Email notifications are sent automatically. Make sure members check their spam folder if they don’t receive invitations.
Troubleshooting
Invitation not received
Invitation not received
If someone doesn’t receive their invitation:
- Check their spam folder
- Verify the email address is correct
- Resend the invitation from pending invitations
- Have them check pending invitations in their dashboard
Can't access workspace
Can't access workspace
If a member can’t access a workspace:
- Verify they’re invited to the specific workspace
- Check their workspace role
- Ensure they’ve accepted the organization invitation first
Can't remove owner
Can't remove owner
Organization owners cannot be removed. To change ownership:
- Have the owner transfer ownership to another admin
- Then the former owner can be removed or have their role changed