Identity Access Management

This document describes how to manage access to organizations, projects, roles, and user profiles in TiDB Cloud.

Before accessing TiDB Cloud,create a TiDB cloud account．You can either sign up with email and password so that you canmanage your password using TiDB Cloud, or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud.

Organizations and projects

TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple projects in your organization.

For example:


              
               - Your organization - Project 1 - Cluster 1 - Cluster 2 - Project 2 - Cluster 3 - Cluster 4 - Project 3 - Cluster 5 - Cluster 6

Under this structure:

To access an organization, a user must be a member of that organization.
To access a project in an organization, a user must at least have the read access to the project in that organization.
To manage clusters in a project, a user must be in theProject Owner的角色。

For more information about user roles and permissions, seeUser Roles．

Organizations

An organization can contain multiple projects.

TiDB Cloud calculates billing at the organization level and provides the billing details for each project.

If you are an organization owner, you have the highest permission in your organization.

For example, you can do the following:

Create different projects (such as development, staging, and production) for different purposes.
Assign different users with different organization roles and project roles.
Configure organization settings. For example, configure the time zone for your organization.

Projects

A project can contain multiple clusters.

If you are a project owner, you can manage clusters and project settings for your project.

For example, you can do the following:

Create multiple clusters according to your business need.
Assign different users with different project roles.
Configure project settings. For example, configure different alert settings for different projects.

User roles

TiDB Cloud defines different user roles to manage different permissions of TiDB Cloud users in organizations, projects, or both.

You can grant roles to a user at the organization level or at the project level. Make sure to carefully plan the hierarchy of your organizations and projects for security considerations.

Organization roles

At the organization level, TiDB Cloud defines four roles, in whichOrganization Ownercan invite members and grant organization roles to members.

Permission	`Organization Owner`	`Organization Billing Admin`	`Organization Console Audit Admin`	`Organization Member`
Manage organization settings, such as projects, API keys, and time zones.	✅	❌	❌	❌
Invite users to or remove users from an organization, and edit organization roles of users.	✅	❌	❌	❌
All the permissions of`Project Owner`for all projects in the organization.	✅	❌	❌	❌
Create projects with Customer-Managed Encryption Key (CMEK) enabled	✅	❌	❌	❌
View bills and edit payment information for the organization.	✅	✅	❌	❌
Manage TiDB Cloudconsole audit loggingfor the organization.	✅	❌	✅	❌
View users in the organization and projects in which the member belong to.	✅	✅	✅	✅

Note

TheOrganization Console Audit Adminrole is used to manage audit logging in the TiDB Cloud console, instead of database audit logging. To manage database auditing, use theProject Ownerrole at the project level.

Project roles

At the project level, TiDB Cloud defines three roles, in whichProject Ownercan invite members and grant project roles to members.

Note

Organization Ownerhas all the permissions ofProject Ownerfor all projects soOrganization Ownercan invite project members and grant project roles to members too.
Each project role has all the permissions ofOrganization Memberby default.
If a user in your organization does not belong to any projects, the user does not have any project permissions.

Permission	`Project Owner`	`Project Data Access Read-Write`	`Project Data Access Read-Only`
Manage project settings	✅	❌	❌
Invite users to or remove users from a project, and edit project roles of users.	✅	❌	❌
Managedatabase audit loggingof the project.	✅	❌	❌
Managespending limitfor all TiDB Serverless clusters in the project.	✅	❌	❌
Manage cluster operations in the project, such as cluster creation, modification, and deletion.	✅	❌	❌
Manage branches for TiDB Serverless clusters in the project, such as branch creation, connection, and deletion.	✅	❌	❌
Manage cluster data such as data import, data backup and restore, and data migration.	✅	✅	❌
ManageData Servicefor data read-only operations such as using or creating endpoints to read data.	✅	✅	✅
ManageData Servicefor data read and write operations.	✅	✅	❌
View cluster data usingChat2Query．	✅	✅	✅
Modify and delete cluster data usingChat2Query．	✅	✅	❌
View clusters in the project, view cluster backup records, and managechangefeeds．	✅	✅	✅

Manage organization access

View organizations

To check which organizations you belong to, take the following steps:

Click in the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．You can view your organization on the page that is displayed.

Switch between organizations

If you are a member of multiple organizations, you can switch your account between organizations.

To switch between organizations, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
Click the name of the organization you want to switch to.

Set the time zone for your organization

If you are in theOrganization Ownerrole, you can modify the system display time according to your time zone.

To change the local timezone setting, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theTime Zonetab.
Click the drop-down list and select your time zone.
ClickSave．

Invite an organization member

If you are in theOrganization Ownerrole, you can invite users to your organization.

Note

You can alsoinvite a user to your projectdirectly according to your need, which also makes the user your organization member.

To invite a member to an organization, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theUser Managementtab, and then selectBy Organization．
ClickInvite．
Enter the email address of the user to be invited, and then select an organization role for the user.
Tip
- If you want to invite multiple members at one time, you can enter multiple email addresses.
- The invited user does not belong to any projects by default. To invite a user to a project, seeInvite a project member．
ClickConfirm．然后成功地添加新用户进入user list. At the same time, an email is sent to the invited email address with a verification link.
After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows.
如果邀请电子邮件地址还没有签署p for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page, and after sign-in, the account joins the organization automatically.

Note

The verification link in the email expires in 24 hours. If the user you want to invite does not receive the email, clickResend．

Modify organization roles

If you are in theOrganization Ownerrole, you can modify organization roles of all members in your organization.

To modify the organization role of a member, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theUser Managementtab, and then selectBy Organization．
Click the role of the target member, and then modify the role.

Remove an organization member

If you are in theOrganization Ownerrole, you can remove organization members from your organization.

To remove a member from an organization, take the following steps:

Note

If a member is removed from an organization, the member is removed from the belonged projects either.

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theUser Managementtab, and then selectBy Organization．
Click删除in the user row that you want to delete.

Manage project access

View projects

To check which project you belong to, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．TheProjectstab is displayed by default.

Tip

If you have multiple projects, you can clickin the lower-left corner and switch to another project.

Create a project

Note

For free trial users, you cannot create a new project.

If you are in theOrganization Ownerrole, you can create projects in your organization.

To create a new project, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．TheProjectstab is displayed by default.
ClickCreate New Project．
Enter your project name.
ClickConfirm．

Rename a project

If you are in theOrganization Ownerrole, you can rename any projects in your organization. If you are in theProject Ownerrole, you can rename your project.

To rename a project, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．TheProjectstab is displayed by default.
In the row of your project to be renamed, clickRename．
Enter a new project name.
ClickConfirm．

Invite a project member

If you are in theOrganization OwnerorProject Ownerrole, you can invite members to your projects.

Note

When a user not in your organization joins your project, the user automatically joins your organization as well.

To invite a member to a project, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theUser Managementtab, selectBy Project, and then select your project from the drop-down list.
ClickInvite．
Enter the email address of the user to be invited, and then select a project role for the user.

Tip

If you want to invite multiple members at one time, you can enter multiple email addresses.
ClickConfirm．然后成功地添加新用户进入user list. At the same time, an email is sent to the invited email address with a verification link.
After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows.
如果邀请电子邮件地址还没有签署p for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the project automatically.

Note

The verification link in the email will expire in 24 hours. If your user doesn't receive the email, clickResend．

Modify project roles

If you are in theOrganization Ownerrole, you can modify project roles of all project members in your organization. If you are in theProject Ownerrole, you can modify project roles of all members in your project.

To modify the project role of a member, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theUser Managementtab, selectBy Projects, and then choose your project in the drop-down list.
Click the role of the target member, and then modify the role.

Remove a project member

If you are in theOrganization OwnerorProject Ownerrole, you can remove project members.

To remove a member from a project, take the following steps:

Clickin the lower-left corner of the TiDB Cloud console.
ClickOrganization Settings．The organization settings page is displayed.
Click theUser Managementtab, and then select theBy Project．
Click删除in the user row that you want to delete.

Manage user profiles

In TiDB Cloud, you can easily manage your profile, including your first name, last name, and phone number.

Clickin the lower-left corner of the TiDB Cloud console.
ClickAccount Settings．TheProfiletab is displayed by default.
Update the profile information, and then clickSave．