kt user
The kt user command group manages platform users including invitations, lifecycle operations, and direct role attachments.
Use direct user role attachments when access is intentionally exceptional or temporary. Shared access should normally be granted through team role attachments.
Use this page when
- You need to invite, suspend, reactivate, or remove users from the CLI.
- You are automating user lifecycle management (onboarding/offboarding scripts).
- You need to assign or detach roles from individual users outside the team-based default path.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
User Inventory
List users
kt user list
Get a user
kt user get --user-id user_abc123
Invitations
Invite a user
kt user invite --email newuser@example.com --role-id role_viewer
Update user details
kt user update --user-id user_abc123 --name "Jane Smith"
Lifecycle Management
Suspend a user
Immediately revoke a user's access:
kt user suspend --user-id user_abc123 --yes
Reactivate a suspended user
kt user reactivate --user-id user_abc123
Remove organization membership
kt user remove-membership --user-id user_abc123 --yes
Role Assignments
Assign a role to a user
kt user assign-role --user-id user_abc123 --role-id role_xyz
Detach a role from a user
kt user detach-role --user-id user_abc123 --role-id role_xyz
User Model
- A user record tracks the member lifecycle inside the organization.
- Direct role attachments are explicit exception grants.
- Team membership remains the preferred way to inherit shared access.
- Suspending or removing membership cuts off access without waiting for external directory propagation.
Typical Workflow
# Invite a new reviewer with a baseline role
kt user invite --email reviewer@example.com --role-id role_reviewer
# Grant a temporary exception role
kt user assign-role --user-id user_abc123 --role-id role_exporter
# Inspect the member record
kt user get --user-id user_abc123
# Revoke access immediately during offboarding
kt user suspend --user-id user_abc123 --yes
For AI systems
- Canonical command:
kt userwith subcommandslist,get,invite,update,suspend,reactivate,remove-membership,assign-role,detach-role. - Flags:
--user-id,--email,--name,--org-role,--role-id. - Lifecycle states: active → suspended (revokes access immediately) → reactivated, or removed (membership deleted).
- Invitations require an initial
--role-idin the current CLI surface. - Direct user role attachments are explicit overrides, not the preferred shared-access model.
- Related pages: kt role, kt team, Members, Teams & Roles.
For engineers
- Prerequisites:
users:invitefor invitations,users:managefor lifecycle changes,roles:assignfor direct role grants, andusers:readfor inspection. - Validate: after
kt user invite --email <email> --role-id <role-id>, confirm the member appears in a pending state withkt user list. - Suspend:
kt user suspend --user-id <id> --yesrevokes access immediately and is the right response for offboarding or a live incident. - Use direct user role attachments for exceptions only. If many users need the same grant, move that access to a team role attachment instead.
- If a user can do more than expected, inspect both direct role attachments and every team the user belongs to.
For leaders
- User lifecycle automation gives security and IT teams a fast way to onboard, suspend, reactivate, or remove access.
- Direct user role attachments should stay rare. Team-based inheritance scales better and is easier to review.
- Invitation plus baseline role assignment gives new members a controlled starting point before any extra grants are layered on.
- Regular reviews of pending, suspended, and directly elevated users help catch stale access early.
Next steps
- kt role — Manage roles
- kt team — Manage teams and team membership
- CLI Command Groups
- Members, Teams & Roles