Teams and Access
Teams and Access
Collaboration Without Chaos
Great platforms are built by teams, not individuals. Planton Cloud's team and access management features let you invite colleagues, organize them into teams, and control who can do what—all without the complexity of traditional IAM systems.
The Collaboration Promise: Add team members in seconds, organize them into teams, and let the platform handle the permissions. No more sharing credentials or wondering who has access to what.
Understanding Access Control
The Access Model
Planton Cloud uses a simple but powerful access model:
graph TD
A[Organization Owner] --> B[Organization]
B --> C[Members]
B --> D[Teams]
C --> E[Direct Permissions]
D --> F[Team Permissions]
E --> G[Resources]
F --> G[Resources]
style A fill:#4CAF50,stroke:#333,stroke-width:2px
style D fill:#2196F3,stroke:#333,stroke-width:2px
Key concepts:
- Organization Owner: The person who created the organization (super admin)
- Members: Individual users invited to the organization
- Teams: Groups of members with shared permissions
- Roles: Permission sets (Owner, Admin, Member, Viewer)
Inviting Team Members
Step 1: Navigate to Members
- Click "Members" in the sidebar
- See current members and their roles
- View pending invitations
Screenshot Placeholder: Members page showing current members list
Step 2: Invite New Members
-
Click "Invite Members" button
-
Enter invitation details:
- Email: The invitee's email address
- Role: Choose their initial role
-
Click "Send Invitation"
Screenshot Placeholder: Invite member form with email and role selection
Step 3: Invitation Process
What happens next:
- Email Sent: Invitee receives an email invitation
- Accept Flow:
- If they have an account: Join organization directly
- If new user: Create account first, then join
- Access Granted: Based on assigned role
Managing Invitations
Pending invitations show:
- Invitee email
- Invited by
- Date sent
- Status
- Actions (resend, cancel)
Copy invitation link: Share directly if email issues
Screenshot Placeholder: Pending invitations list with actions
Understanding Roles
Organization-Level Roles
Owner
Who: Organization creator (usually one person)
Permissions:
- Full control over everything
- Manage billing and subscriptions
- Delete organization
- Transfer ownership
- All admin permissions
Best practice: Keep owner role limited to founders/executives
Admin
Who: Senior team members, DevOps leads
Permissions:
- Invite/remove members
- Create/delete environments
- Manage all resources
- Configure organization settings
- Cannot delete organization or change billing
Best practice: For team leads and senior engineers
Member
Who: Regular developers and engineers
Permissions:
- Create and manage resources
- Deploy infrastructure and services
- View organization resources
- Cannot invite members or change settings
Best practice: Default role for most team members
Viewer
Who: Stakeholders, auditors, read-only users
Permissions:
- View all resources
- View logs and history
- Cannot make any changes
- Cannot deploy or delete
Best practice: For managers, compliance, or external consultants
Working with Teams
Why Use Teams?
Teams simplify permission management:
- Grant permissions to groups, not individuals
- Onboard new members quickly
- Consistent access patterns
- Easier audit and compliance
Creating Teams
- Go to Settings → Teams
- Click "Create Team"
- Configure team:
Name: "Backend Team" Description: "Backend services and infrastructure" Members: [alice@company.com, bob@company.com]
Screenshot Placeholder: Create team form
Common Team Patterns
By Function
Teams:
- backend-team (API developers)
- frontend-team (UI developers)
- devops-team (Infrastructure)
- qa-team (Testing)
By Project
Teams:
- project-alpha-team
- project-beta-team
- maintenance-team
By Access Level
Teams:
- prod-deployers (Production access)
- dev-only (Development only)
- read-only-stakeholders
Team Permissions
Teams can be granted permissions at different levels:
Environment Level:
Team: backend-team
Environments:
- development: Admin
- staging: Admin
- production: Member (deploy only)
Resource Level:
Team: database-team
Resources:
- All RDS instances: Admin
- Other resources: Viewer
Access Control in Practice
Scenario 1: Onboarding a Developer
-
Invite as Member:
Email: newdev@company.com Role: Member -
Add to Teams:
- backend-team (for API access)
- dev-environment-team (for development)
-
Result:
- Can deploy to development
- Can view production
- Cannot modify organization settings
Scenario 2: Contractor Access
- Invite as Member (limited)
- Create specific team:
Team: contractor-project-x Access: Only Project X resources - Time-bound: Remove after contract
Scenario 3: Executive Visibility
- Invite as Viewer
- No team needed
- Can see:
- All resources and costs
- Deployment history
- Cannot make changes
Managing Member Access
Updating Roles
- Go to Members page
- Click member's current role
- Select new role from dropdown
- Confirm change
Screenshot Placeholder: Member list with role dropdown
Important: Role changes take effect immediately
Removing Members
- Click member options menu
- Select "Remove from organization"
- Confirm removal
What happens:
- Immediate access revocation
- Running resources continue
- Audit log entry created
- Cannot undo (must re-invite)
Viewing Access History
Track who did what:
- Member actions logged
- Role changes tracked
- Resource access recorded
- Available in audit logs
Security Best Practices
1. Principle of Least Privilege
Start restricted, expand as needed:
- New members: Start as Viewer
- After onboarding: Upgrade to Member
- Special needs: Add to specific teams
2. Regular Access Reviews
Monthly/Quarterly:
- Review member list
- Check role assignments
- Remove inactive members
- Update team memberships
3. Team-Based Access
Prefer teams over individual permissions:
# Good
Team: prod-deployers
Members: [senior-dev1, senior-dev2]
Access: Production deployment
# Avoid
Individual permissions for each member
4. Environment Isolation
Separate access by environment:
Development: Most developers
Staging: Senior developers + QA
Production: Limited senior team only
Common Access Patterns
Startup (Small Team)
Owner: founder@startup.com
Admins:
- cto@startup.com
Members:
- dev1@startup.com
- dev2@startup.com
Simple, flat structure with trust-based access.
Scale-up (Growing Team)
Teams:
- engineering (all devs)
- platform-team (infrastructure)
- prod-access (senior only)
Roles:
- Admins: Team leads
- Members: All developers
- Viewers: Product managers
Enterprise (Large Organization)
Teams:
- backend-team-us
- backend-team-eu
- frontend-team
- devops-team
- security-team
- compliance-viewers
Strict environment access:
- Dev: All teams
- Staging: Senior members
- Prod: DevOps + selected seniors
Integration with Platform Features
Teams and Deployments
- Stack Jobs show who triggered them
- Pipelines track committer and deployer
- Audit trail for compliance
Teams and Billing
- Billing based on seats (members)
- Viewers may not count as seats
- Team size affects subscription tier
Teams and Notifications
- Set up team-based alerts
- Route notifications by team
- Escalation paths
Troubleshooting Access Issues
"Access Denied" Errors
Check:
- Member role in organization
- Team memberships
- Current environment context
- Resource-specific permissions
"Cannot Invite Members"
Only Owners and Admins can invite
- Check your role
- Ask admin for help
- Consider team-based approach
"Invitation Not Received"
Try:
- Check spam folder
- Resend invitation
- Copy invitation link
- Verify email address
What's Next?
With your team onboarded:
- Platform Tour - Show team the platform
- Getting Started - Team onboarding guide
- Billing - Understand seat-based pricing
- Core Concepts - Team training material
Remember: Good access management is invisible when done right. Set up teams thoughtfully, and permissions become automatic. Your team can focus on building, not requesting access.
Next article
