Loading

Manage users

You can invite users to join your organization to allow them to interact with all or specific Elastic Cloud resources and settings. After they're invited, you can manage the users in your organization.

Alternatively, configure Elastic Cloud SAML SSO to enable your organization members to join the Elastic Cloud organization automatically.

An Elastic Cloud account can belong to multiple organizations. However, the user's roles and the resources that they have access to are controlled at the organization level.

Agent skill available

A skill is available to help AI agents with this topic.

Learn more about agent skills for Elastic

Get the skill
Tip

If you're using Elastic Cloud Hosted, then you can also manage users and control access at the deployment level.

  • Only Organization owners can invite new users to the organization.

  • To assign or modify roles for existing members, your permissions must cover the resources affected by the role assignment:

    • Organization owners can manage role assignments for all members in the organization.
    • Members with the Admin role can view and manage role assignments only for deployments or projects within their scope:
      • Admins scoped to all deployments and projects can manage assignments across all resources.
      • Admins scoped to specific deployments or projects can manage assignments only for those resources.

For more information about role scopes and permissions, refer to User roles and privileges.

To invite users to your organization:

  1. Log in to Elastic Cloud.

  2. From the navigation menu, select Organization > Members.

  3. On the Members page, click Invite members.

  4. Enter the email addresses of the users you want to invite in the email field.

    To add multiple members, enter the member email addresses, separated by a space.

  5. If desired, assign roles to the users so that they automatically get the appropriate permissions when they accept the invitation and sign in to your organization.

    You can grant access to Elastic Cloud Hosted deployments, Elastic Cloud Serverless projects, or connected clusters, either to all resources or scoped to specific ones. For more details, refer to User roles and privileges.

  6. Click Send invites.

    Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation before it expires. If the invite has expired, an admin can resend the invitation.

You must send invitations from the organization you want users to join. You can't invite users to join multiple organizations at once.

If a user already has an Elastic Cloud account, then they don't need to sign up again. Instead, they can log in with their selected login method.

If your organization uses SAML SSO, then you don't need to invite users to join the organization. Users are added to the organization automatically when they log in to your identity provider SSO URL.

Organizations can have different authentication requirements. For example, one organization might enforce SAML SSO, while another organization might not enforce any specific login method. If your organization enforces a specific login method, then the user will need to use that method to log in, and might be prompted to re-authenticate.

On the Members tab of the Organization page, you can view the list of current members, including their status, role, and any other organizations that they are members of.

In the Actions column, click the three dots to edit a member’s role, or revoke an invite, or remove a member from your organization.

Before April 2026, each organization required its own Elastic Cloud account and email address. You can now use one Elastic Cloud account across multiple organizations, and you might want to remove redundant accounts.

For each organization where a user currently signs in with a different email address, invite them again using the email address that you want them to use everywhere. Assign the same roles and privileges they had on the alternate account.

After the user accepts the invitation, you can delete their alternate account from that organization.

You can view the organizations that your users are members of from the Members tab of the Organization page. This page shows which organizations each member of your current organization belongs to.

To view the organizations:

  1. Log in to the Elastic Cloud Console.
  2. From a deployment or project on the home page, select Manage.
  3. From the lower navigation menu, select Organization.
  4. Click the Members tab.
  5. Click the name of the user you want to view the organizations for.

You can also manage members of your organization using the Elastic Cloud API.

Get information about your organization

Get information about your Elastic Cloud organization.

curl -XGET \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations"
Invite members to your organization

Invite members to your Elastic Cloud organization.

curl -XPOST \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations" \
-d '
{
  "emails": [
    "test@test.com"
  ]
}'
  1. One or more email addresses to invite to the organization

When creating an invitation, you can define the user's roles and grant access to resources in the API request body:

curl -XPOST \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations" \
-d '
{
  "emails": [
    "test@test.com"
  ],
  "role_assignments": {
    "deployment": [
      {
        "role_id": "deployment-admin",
        "organization_id": "ORG_ID_PLACEHOLDER",
        "all": true
      }
    ],
    "project": {
      "elasticsearch": [
        {
          "role_id": "elasticsearch-viewer",
          "organization_id": "ORG_ID_PLACEHOLDER",
          "all": false,
          "project_ids": [
            "ES_PROJECT_ID_PLACEHOLDER"
          ],
          "application_roles": [
            "logs_viewer"
          ]
        }
      ],
      "observability": [
        {
          "role_id": "observability-editor",
          "organization_id": "ORG_ID_PLACEHOLDER",
          "all": false,
          "project_ids": [
            "OBS_PROJECT_ID_PLACEHOLDER"
          ],
          "application_roles": [
          ]
        }
      ]
    }
  }
}'
  1. When granting a custom serverless role, you need to grant the relevant viewer role ID for the project type.
  2. Custom roles for the user in this Serverless project.
  3. Pass an empty application_roles array to only grant the user Elastic Cloud Console access to the relevant resources. Learn more about access options.
View pending invitations to your organization

View pending invitations to your Elastic Cloud organization.

curl -XGET \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/invitations"
View members in your organization

View members in your Elastic Cloud organization.

curl -XGET \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members"
Remove members from your organization

Remove members from your Elastic Cloud organization.

curl -XDELETE \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/members/$USER_IDS"

USER_IDS One or more comma-delimited user ids to remove from the organization