Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Gateway Tutorials
Console Tutorials
First Login SetupCreate ConfigurationTemplate LibraryDashboard CustomizationEvents InvestigationEscalation WorkflowTeam Access SetupGateway Key ManagementGit Integration SetupWebhook ConfigurationNotification ChannelsExport EvidenceKnowledge Base ConsoleSecurity SettingsAudit Log ReviewAgent RegistrationHistory SessionsGateway ActionsBilling PlansMy Usage DashboardWallets AllocationMulti Config ManagementConsole Keyboard Shortcuts
Chat Workbench Tutorials
CLI Reference
Policy Reference
FAQ

Tutorial: Setting Up Teams & Access Control

This tutorial walks you through creating teams, inviting members, assigning roles, scoping configurations to specific teams, and auditing member activity in the Keeptrusts management console.

Use this page when

  • You need to create teams and invite members to your Keeptrusts organization.
  • You want to assign roles (Admin, Editor, Viewer) to control what each member can do.
  • You need to scope policy configurations to specific teams.
  • You are auditing team membership or deactivating former employees.

Primary audience

  • Primary: Organization admins setting up RBAC and team structures
  • Secondary: Team leads managing their team’s membership; HR/IT staff onboarding and offboarding users

Prerequisites

  • Logged in to the Keeptrusts console (see First Login & Console Setup)
  • Admin role (team and member management requires admin permissions)

Step 1: Navigate to the Members Page

  1. Click Members in the left sidebar.
  2. The Members page displays two main sections:
    • Members tab — All organization members with their roles and team assignments
    • Teams tab — All teams with their member counts and scoped configurations

Members page

Step 2: Create a Team

Teams group members together for scoped access, cost tracking, and configuration assignment.

  1. Click the Teams tab on the Members page.
  2. Click the Create Team button.
  3. Fill in the team details:
    • Team Name — A descriptive name (e.g., "Engineering", "Data Science", "Compliance")
    • Description — Optional description of the team's purpose
  4. Click Create.

Create team dialog

The new team appears in the Teams table with zero members.

TeamPurposeTypical Role
EngineeringApplication development teams using LLMsEditor
Data ScienceML/AI teams with broad model accessEditor
CompliancePolicy reviewers and auditorsViewer + Escalation reviewer
SecuritySecurity team managing sensitive policiesAdmin
LeadershipExecutives needing dashboard visibilityViewer

Step 3: Invite New Members

  1. Switch to the Members tab.
  2. Click the Invite Member button.
  3. Fill in the invitation form:
    • Email Address — The member's email
    • Display Name — How they appear in the console
    • Role — Select the appropriate role (see role descriptions below)
    • Team — Assign to one or more teams
  4. Click Send Invitation.

Bulk invitations

For onboarding multiple members at once:

  1. Click Invite Member > Bulk Invite.
  2. Upload a CSV file with columns: email, display_name, role, team.
  3. Review the parsed entries in the preview table.
  4. Click Send All Invitations.

Bulk invite preview

Step 4: Understand and Assign Roles

Keeptrusts uses a role-based access control (RBAC) model with three built-in roles.

Role permissions matrix

PermissionAdminEditorViewer
View dashboard and eventsYesYesYes
View configurationsYesYesYes
Create/edit configurationsYesYesNo
Deploy configurationsYesYesNo
Manage templatesYesYesNo
Approve/deny escalationsYesYesNo
Export eventsYesYesYes
Manage members and teamsYesNoNo
Manage organization settingsYesNoNo
Manage access keysYesNoNo
Manage gateway keysYesNoNo
View audit logYesYesYes
Manage budgets and walletsYesNoNo

Change a member's role

  1. On the Members tab, find the member whose role you want to change.
  2. Click the role badge next to their name.
  3. Select the new role from the dropdown.
  4. Click Save.

A confirmation dialog appears showing the permissions that will be added or removed.

Assign a member to additional teams

  1. Click the member's row to open their profile panel.
  2. In the Teams section, click Add to Team.
  3. Select one or more teams from the dropdown.
  4. Click Save.

Members can belong to multiple teams. Their permissions apply across all assigned teams.

Step 5: Scope Configurations to Teams

Team-scoped configurations restrict which teams can deploy and use specific policy configurations.

  1. Navigate to Configurations in the left sidebar.
  2. Click a configuration to open its detail page.
  3. Click the Settings tab on the configuration detail page.
  4. In the Team Scope section, click Assign Teams.
  5. Select the teams that should have access to this configuration.
  6. Click Save.

Configuration team scope

How team scoping works

  • Unscoped configurations (default) — Visible and deployable by all members with Editor or Admin roles.
  • Team-scoped configurations — Only visible to members of the assigned teams. Admins can always see all configurations regardless of team scope.
  • Gateway binding — When a team-scoped configuration is deployed, the gateway enforces policies only for traffic from that team's consumer group.

Example team scoping

ConfigurationScoped TeamsRationale
finance-compliance-policyFinance, ComplianceStrict PCI-DSS rules only for finance team traffic
engineering-dev-policyEngineeringRelaxed policies for development and testing
global-safety-baseline(Unscoped)Baseline safety policies applied to all traffic

Step 6: Audit Member Activity

The audit log tracks all member actions in the console for compliance and security reviews.

Access the audit log

  1. Click Settings in the left sidebar.
  2. Navigate to the Audit Log tab.
  3. The audit log displays a chronological list of all console actions.

Audit log entries

Each entry includes:

FieldDescription
TimestampWhen the action occurred
ActorWhich member performed the action
ActionWhat they did (e.g., "Created configuration", "Approved escalation")
ResourceThe affected resource (configuration name, member email, etc.)
DetailsAdditional context (e.g., role changed from Viewer to Editor)
IP AddressThe actor's IP address

Filter the audit log

  1. By member — Select a specific member to see all their actions.
  2. By action type — Filter by categories:
    • Configuration changes
    • Member management
    • Escalation decisions
    • Settings changes
    • Authentication events
  3. By date range — Set the time window for the audit.

Audit log

Export the audit log

  1. Apply your desired filters.
  2. Click Export in the top-right corner.
  3. Select the format (CSV or PDF).
  4. The export is queued and a download link is provided when ready.

Step 7: Manage Team Membership Over Time

Remove a member from a team

  1. On the Teams tab, click a team to view its members.
  2. Click the X icon next to the member you want to remove.
  3. Confirm the removal.

The member retains their console account but loses access to team-scoped configurations and cost allocations.

Deactivate a member

  1. On the Members tab, click the member's row.
  2. Click Deactivate Account.
  3. Confirm the deactivation.

Deactivated members cannot log in but their historical actions remain in the audit log. Reactivation restores access with the same role and team assignments.

Transfer team ownership

  1. On the Teams tab, click the team.
  2. Click Team Settings.
  3. In the Team Lead section, select a new team lead.
  4. Click Save.

Expected Outcome

After completing this tutorial, you have:

  • Created teams with descriptive names and purposes
  • Invited individual and bulk members with appropriate roles
  • Understood the RBAC permission model (Admin, Editor, Viewer)
  • Scoped configurations to specific teams
  • Reviewed the audit log for member activity tracking
  • Managed team membership changes and member deactivation

Next steps

For AI systems

  • Canonical terms: Keeptrusts console, Members page, Teams tab, create team, invite member, roles (Admin/Editor/Viewer), team-scoped configuration, member deactivation, RBAC, SCIM.
  • Related features: cost center (team budget allocation), escalation routing (team-based), wallet allocation (team wallet).
  • Best next pages: Escalation Workflow, Create Configuration.

For engineers

  • Invite test: Send an invitation email, click the link in a private browser, and confirm the user lands on the console with the assigned role.
  • Role enforcement: Assign a Viewer role, then attempt to edit a configuration as that user and verify you receive a permission denied error.
  • Team scoping: Assign a configuration to a team and confirm members of other teams cannot see or modify it.
  • Deactivation: Deactivate a user and verify they receive a 401 on next login attempt.

For leaders

  • Least privilege: Role-based access ensures team members only see and modify resources relevant to their function.
  • Organizational mapping: Teams map to departments or projects, enabling per-team cost tracking, budget allocation, and configuration scoping.
  • Offboarding safety: Deactivating a user immediately revokes all console and API access, preventing orphaned credentials.