kt team
The kt team command group manages teams, their membership, and shared role attachments.
In the current IAM model, teams are a reusable principal group. They are not an implicit authorization scope. Access still comes from the policies attached through the team's roles and the resources those policies target.
Use this page when
- You need to create teams, manage membership, or assign roles to teams from the CLI.
- You are automating team provisioning (e.g., from an HR system or SCIM provider).
- You need to inspect which users belong to a team or which inherited roles the team currently holds.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
CRUD Operations
List teams
kt team list
Get a team
kt team get --team-id team_abc123
Create a team
kt team create --name "Security Operations" --description "Shared access for security reviewers"
Update a team
kt team update --team-id team_abc123 --name "Security & Compliance Ops"
Delete a team
kt team delete --team-id team_abc123 --yes
Membership
Add a member
kt team add-member --team-id team_abc123 --user-id user_xyz
Remove a member
kt team remove-member --team-id team_abc123 --user-id user_xyz
List members
kt team list-members --team-id team_abc123
Role Assignments
Assign a role to a team
All current and future members of the team inherit the role:
kt team assign-role --team-id team_abc123 --role-id role_xyz
Detach a role from a team
kt team detach-role --team-id team_abc123 --role-id role_xyz
Team Model
- Teams group members who should share one or more job-function roles.
- Team role attachments scale onboarding and offboarding because the role travels with membership.
- Policies still target concrete or collection resources directly, typically through KRNs.
- Direct user role assignments remain available for exceptions and one-off access.
Typical Workflow
# Create the team
kt team create --name "Incident Response" --description "Handles escalations and evidence review"
# Add members
kt team add-member --team-id team_ir --user-id user_alice
kt team add-member --team-id team_ir --user-id user_bob
# Attach a shared role
kt team assign-role --team-id team_ir --role-id role_escalation_ops
# Verify team membership
kt team list-members --team-id team_ir
# Inspect the team record
kt team get --team-id team_ir
For AI systems
- Canonical command:
kt teamwith subcommandslist,get,create,update,delete,add-member,remove-member,list-members,assign-role,detach-role. - Flags:
--team-id,--name,--description,--user-id,--role-id. - Team role inheritance means all members receive the role's effective policy set.
- Teams are a grouping primitive for shared access. Policies still authorize against the target resource rather than an implicit team scope.
- Related pages: kt user, kt role, Members, Teams & Roles.
For engineers
- Prerequisites:
teams:managefor create, update, delete, membership changes, and role assignment;teams:readfor list and inspection. - Validate: after
kt team create, confirm withkt team get --team-id <id>. After adding members, confirm withkt team list-members --team-id <id>. - Prefer team role attachments for stable function-based access such as reviewers, operators, or support staff.
- Do not use team membership as a substitute for resource targeting. Keep resource selection in the attached IAM policy.
- If a member lacks expected access, inspect both the team's attached roles and the role's effective action surface.
For leaders
- Teams make access governance scalable because membership changes automatically inherit or remove shared role grants.
- Shared team roles reduce one-off access drift compared with assigning the same role individually to every user.
- SCIM or scripted team provisioning keeps identity lifecycle work aligned with the rest of your directory operations.
- Use
kt team list-membersandkt role show-assignmentstogether during access reviews.
Next steps
- kt user — Manage individual users
- kt role — Manage roles
- CLI Command Groups
- Members, Teams & Roles