Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
Console OverviewPlans and StorageOverview DashboardAuthentication FlowsConfigurationsTemplates and Policy WorkflowsEventsHistory and SessionsEscalationsAgentsConnectorsKnowledge BaseKnowledge LifecycleExportsCost and SpendWalletsMy UsageGateways and ActionsGateway KeysNotificationsWebhooksAudit LogVersioned RolloutMembers, Teams, and RolesSecurity SettingsBilling and PlansSettings and Gateway Config
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Members, Teams, and Roles

The console provides the main IAM surface for managing who can do what within your Keeptrusts organization.

Keeptrusts now models access as:

  • versioned policies that define reusable statements,
  • roles that hold those policies,
  • teams that share role attachments across many members, and
  • members that carry lifecycle state and optional direct exception grants.

Use this page when

  • You need to invite users, create teams, or assign roles in your Keeptrusts organization.
  • You need to create custom IAM policies with explicit actions, KRN resources, and conditions.
  • You want to verify effective permissions before or after a role assignment.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Members

Settings → Members is where you manage individual user accounts.

Invite members

  1. Go to Settings → Members
  2. Click Invite Member
  3. Enter the email address
  4. Assign the starting role or organization role for the invitee

Invited users receive an email with a registration link.

Member lifecycle

ActionDescription
InviteSend a registration invitation
Assign roleGrant a direct exception role to the member
Remove roleRevoke a direct role grant from the member
SuspendImmediately revoke all access
ReactivateRestore access for a suspended member
RemoveRemove the member from the organization

The Members page also shows MFA posture so operators can see total MFA coverage and which active admins are still missing MFA.

Teams

Settings → Teams organizes members into reusable groups that share role attachments.

Teams are useful for job-function access. They are not the hidden source of authorization. The actual access decision still comes from the policies attached through the team's roles.

Team features

  • Create and manage teams with descriptive names and slugs
  • Add and remove team members
  • Assign roles at the team level so all members inherit the role
  • View team overview with member count and inherited role summary
  • Keep operational team settings separate from IAM policy evaluation

Team detail

The team detail view includes:

TabContent
OverviewTeam metadata, member count, inherited roles
MembersMember list with add/remove
SettingsTeam configuration and deletion
Operational settingsTeam-level operational overrides that do not replace IAM policy evaluation

Roles

Settings → Roles defines reusable containers for IAM policies.

Creating a role

  1. Go to Settings → Roles
  2. Click New Role
  3. Name the role and add a description
  4. Attach policies after creation to give the role an effective permission surface

Role detail

Each role detail page shows:

  • Role metadata (name, description, ID)
  • Attached IAM policies
  • Effective permissions for the current attached policy set
  • Current assignments across users, teams, and tokens
  • Audit history for role changes

Effective permissions

The effective-permissions view is the fastest way to verify what a role currently allows or denies after policy attachments and policy-version changes.

IAM Policies

Settings → Policies manages the reusable statements attached to roles.

Policy structure

Each IAM policy contains statements with:

  • Actions: what operations are allowed or denied (for example events:read, roles:assign)
  • Effect: allow or deny
  • Resources: KRN resource targets such as krn:keeptrusts:governance:{org_id}:event/*
  • Conditions: optional constraints such as MFA-required checks

Policy statement edits publish a new default version rather than mutating the previous version in place.

Creating a policy

The policy creation flow includes a statement editor for building reusable access documents visually.

Permission Inspection

Use the role detail page when you need to answer any of these questions:

  • What actions does this role currently allow?
  • Which policy created this permission?
  • Which users, teams, or tokens currently hold this role?
  • Who changed this role or policy last?

CLI equivalents

All identity management operations are available through the CLI:

# Users
kt user invite --email new@example.com --role-id role_viewer
kt user assign-role --user-id user_abc --role-id role_xyz

# Teams
kt team create --name "Security Ops" --description "Shared access for security reviewers"
kt team add-member --team-id team_abc --user-id user_xyz
kt team assign-role --team-id team_abc --role-id role_xyz

# Roles
kt role create --name "Policy Admin"
kt role attach-policy --role-id role_abc --policy-id policy_xyz
kt role show-actions --role-id role_abc

# IAM Policies
kt iam policy create --name "Read Events" \
  --action events:read \
  --resource 'krn:keeptrusts:governance:{org_id}:event/*'

For AI systems

  • Canonical terms: Keeptrusts members, teams, roles, IAM policies, KRN resources, effective permissions.
  • Console surfaces: Settings → Members, Settings → Teams, Settings → Roles, Settings → Policies.
  • CLI commands: kt user invite, kt user assign-role, kt team create, kt team add-member, kt team assign-role, kt role create, kt role attach-policy, kt role show-actions, kt iam policy create.
  • Related pages: Security Settings, Audit Log, Onboarding Flows.

For engineers

  • After inviting a user, verify they received the registration email and can sign in.
  • After assigning or editing a role, check the effective permissions view to confirm the role grants only intended access.
  • Use kt user assign-role and kt team assign-role for scripted onboarding, but prefer team-level grants for repeatable access.
  • IAM policy statements support allow and deny effects. Explicit deny still wins.
  • Prerequisite: you need the corresponding read, manage, or assign permissions to work on each surface.

For leaders

  • Define team structures early so shared roles follow recognizable business functions.
  • Versioned policies and effective-permission inspection make access reviews easier to audit and explain.
  • Suspended members lose all access immediately without needing role revocation.
  • Name roles after business functions such as "Policy Approver" or "Evidence Exporter" rather than technical implementation details.

Next steps