User management - Temporal Cloud feature guide

caution

Access to Temporal Cloud can be authorized via Google OAuth single sign-on, Microsoft single sign-on, or SAML, depending on your setup.

If you are using Google OAuth for single sign-on and an email address is not associated with a Google Account, the user must follow the instructions in the Use an existing email address section of Create a Google Account.

Important: Do not create a Gmail account when creating a Google Account.

If your organization uses Google Workspace or Microsoft Entra ID, and your IT administrator has enabled controls over single sign-on permissions, then you will need to work with your IT administrator to allow logins to Temporal Cloud.

When a user is created in Temporal Cloud, they receive an email invitation containing a link. They must use this link to finalize their setup and access Temporal Cloud. Accounts with SAML configurations can ignore this email. However, those using Google or Microsoft for SSO authentication need to follow the email link for their initial login to Temporal Cloud.

info

To invite users, a user must have the Global Admin or Account Owner account-level role.

Roles and permissions

Each user in Temporal Cloud is assigned a role. Each user can be assigned permissions for individual Namespaces.

• Account-level roles
• Namespace-level permissions

Web UI

To invite users using the Temporal Cloud UI:

1. In Temporal Web UI, select Settings in the left portion of the window.
2. On the Settings page, select Create Users in the upper-right portion of the window.
3. On the Create Users page in the Email Addresses box, type or paste one or more email addresses.
4. In Account-Level Role, select a Role. The Role applies to all users whose email addresses appear in Email Addresses.
5. If the account has any Namespaces, they are listed under Grant access to Namespaces. To add a permission, select the checkbox next to a Namespace, and then select a permission. Repeat as needed.
6. When all permissions are assigned, select Send Invite.

Temporal sends an email message to each user. To join Temporal Cloud, a user must select Accept Invite in the message.

tcld

To invite users using tcld, see the tcld user invite command.

Temporal sends an email message to the specified user. To join Temporal Cloud, the user must select Accept Invite in the message.

Cloud Ops API

You can invite users pragmatically using the Cloud Ops API.

1. Create a connection to your Temporal Service using the Cloud Operations API.
2. Use the CreateUser service to create a user.