-title:Create a Codefresh account

localurl:/gitops/administration/account-user-management/create-codefresh-account/

-title:Adding users and teams

localurl:/gitops/administration/account-user-management/add-users/

localurl:/gitops/administration/account-user-management/add-users-teams/

-title:Access control for GitOps

localurl:/gitops/administration/account-user-management/gitops-abac/

-title:User settings

-title:Create a Codefresh account

url:"/create-codefresh-account"

-title:Adding users and teams

url:"/add-users"

url:"/add-users-teams"

-title:Managing service accounts

url:"/service-accounts"

-title:Configuring access control for GitOps

-title:Access control for GitOps

url:"/gitops-abac"

-title:Authorize access to organizations/projects

url:"/hosted-authorize-orgs"

-title:Create a Codefresh account

localurl:/docs/administration/account-user-management/create-codefresh-account/

-title:Adding users and teams

localurl:/docs/administration/account-user-management/add-users/

localurl:/docs/administration/account-user-management/add-users-teams/

-title:Set up OAuth2 for GitOps

localurl:/docs/administration/account-user-management/oauth-setup/

localurl:/docs/administration/account-user-management/oauth-setup/

-title:Access control for pipelines

localurl:/docs/administration/account-user-management/access-control/

localurl:/docs/administration/account-user-management/access-control-pipelines/

-title:Access control for GitOps

localurl:/docs/administration/account-user-management/gitops-abac/

-title:Audit

-title:Create a Codefresh account

url:"/create-codefresh-account"

-title:Adding users and teams

url:"/add-users"

url:"/add-users-teams"

-title:Managing service accounts

url:"/service-accounts"

-title:Configuring access control for pipelines

url:"/access-control"

-title:Configuring access control for GitOps

-title:Access control for user accounts

url:"/access-control-user-accounts"

-title:Access control for pipelines

url:"/access-control-pipelines"

-title:Access control for GitOps

url:"/gitops-abac"

-title:Setting up OAuth2 for GitOps

url:"/oauth-setup"

Review:

{% if page.collection != site.gitops_collection %}

*[Add users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users/)

* Configure access control for[pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/) and for[GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

*[Add users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users-teams/)

* Configure access control for[pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control-pipelines/) and for[GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

*[Configure access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

*[Configure Single Sign-On (SSO)]({{site.baseurl}}/docs/administration/single-sign-on/)

* Get[audit logs]({{site.baseurl}}/docs/administration/account-user-management/audit/) for runtimes (hosted or private)

{% endif %}

{% if page.collection == site.gitops_collection %}

*[Add users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users/)

*[Add users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users-teams/)

*[Configure access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

*[Configure Single Sign-On (SSO)]({{site.baseurl}}/docs/administration/single-sign-on/)

{% endif %}

title:"Configuring access control for pipelines"

title:"Access control for pipelines"

description:"Restrict resources to pipelines in a company environment"

group:administration

sub_group:account-user-management

-/docs/enterprise-account-mng/ent-account-mng/

-/docs/enterprise/ent-account-mng/

-/docs/administration/ent-account-mng/

toc:true

Role-based access is usually defined when you[add teams]({{site.baseurl}}/docs/administration/account-user-management/add-users/#teams-in-codefresh) to accounts. Role-based access means assigning either a user or an administrator role.

Role-based access is usually defined when you[add teams]({{site.baseurl}}/docs/administration/account-user-management/add-users-teams/#teams-in-codefresh) to accounts. Role-based access means assigning either a user or an administrator role.

Only a user with an administrator role can add other users, and assign or change user roles.

Make sure you have:

*[Created at least one team]({{site.baseurl}}/docs/administration/account-user-management/add-users/#teams-in-codefresh)

*[Created at least one team]({{site.baseurl}}/docs/administration/account-user-management/add-user-teams/#teams-in-codefresh)

* Reviewed[CRUD privileges for entities/resources](#crud-privileges-for-entitiesresources)

* Added tags for all entities, except pipelines

**Step 1: Set up the teams**

The first step is to create the teams, and add the users you want to each team.

See[Teams in Codefresh]({{site.baseurl}}/docs/administration/account-user-management/add-users/#teams-in-codefresh).

See[Teams in Codefresh]({{site.baseurl}}/docs/administration/account-user-management/add-users-teams/#teams-in-codefresh).

If you have already created the DevOps and Users teams, you'll need to create the Marvel team.

[Access control for user accounts]({{site.baseurl}}/docs/administration/account-user-management/access-control-user-accounts)

[Codefresh Provider for Terraform](https://registry.terraform.io/providers/codefresh-io/codefresh/latest/docs){:target="\_blank"}

[Managing your Kubernetes cluster]({{site.baseurl}}/docs/deployments/kubernetes/manage-kubernetes/)

title:"Access control for user accounts"

description:"Define session timeouts and domain restrictions for all users"

toc:true

You can configure general access control settings that apply to all users in your Codefresh account. These include enforcing automatic logout after periods of inactivity, and restricting invitations to approved email domains. These controls help enforce organizational security policies across the platform.

Define sessions timeouts and email domain restrictions for all users in the account.

1. In the Codefresh UI, on the toolbar, click the**Settings** icon.

1. From the sidebar, select**Access Control**.

1.**User Session**: Define the maximum duration for inactivity in minutes/hours/days before enforcing a timeout.

1.**User Invitation**:

* To restrict invitations to specific email domains, turn on**Restrict inviting additional users..**

* In the**Email domains** field, type in the domains to allow, one per line.

{% include image.html

lightbox="true"

file="/images/administration/access-control/security-timeout.png"

url="/images/administration/access-control/security-timeout.png"

alt="Security timeout"

caption="Security timeout"

max-width="90%"

%}

[Access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

{% if page.collection != site.gitops_collection %}

[Access control for pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control-pipelines/)

{% endif %}

-/docs/accounts/

-/docs/accounts/invite-your-team-member/

-/docs/administration/invite-your-team-member/

toc:true

Once you have created a Codefresh account, you can add any number of users to collaborate on repositories, entities, and processes.

{% if page.collection != site.gitops_collection %}

For Codefresh on-premises, see[On-premises account & user setup]({{site.baseurl}}/docs/installation/on-premises/on-prem-configuration/).

{% endif %}

You can then create teamsin Codefreshto group users who share a common denominator, such as the same permissions, access to the same functionality, or roles. Teams make it easy for administrators to both define and manage items shared by multiple users in an organization.

You can then create teams to group users who share a common denominator, such as the same permissions, access to the same functionality, or roles. Teams make it easy for administrators to both define and manage items shared by multiple users in an organization.

Adding a user to an account requires assigning a role to define access to account resources, and optionally, selecting an SSO provider for the user:

***Email address**: The user's company email address.

***Role**: Defines the user's access level to the resources in the account.

***User**: The default. With this role, users can work with repositories and entities, but cannot change configuration settings.

***Administrator**: With this role, users have full access to accounts, and can change all settings, so make sure that they are trusted colleagues.

{% if page.collection != site.gitops_collection %}

For guidelines on access control, see[Access control for pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/) and[Configuring access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/).

For guidelines on access control, see[Access control for pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control-pipelines/) and[Access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/).

{% endif %}

{% if page.collection == site.gitops_collection %}

For guidelines on access control, see[Configuring access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/).

For guidelines on access control, see[Access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/).

{% endif %}

***SSO**: By default, SSO is not enabled for users. If required, explicitly select the SSO provider. For an overview of SSO, see[About Federated Single Sign-on]({{site.baseurl}}/docs/administration/single-sign-on/).

1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.

1. From the sidebar select**Users & Teams**.

1. Select**Users**, and then select**+[Add User]**.

1. Type the**User's email address**, and click**Invite**.

1. In the Codefresh UI, on the toolbar, click the**Settings** icon.

1. From the sidebar select**Users**, and then click**Add User**.

1. Add the user's**Email address**.

The user receives an email invitation, and in the Users list, the username is set to Pending, and status to Resend.

1. From the**Role** dropdown, select either**User** or**Administrator**.

1. If SSO is configured for the account,**Select SSO provider**.

1. From**Assign a role**, select either**Administrator** or**User**.

1. If SSO is configured for the account,**Select the SSO provider** from the list.

Once you add a user to your Codefresh account, you can do the following to manage that user:

* Resend invitations that are pending acceptance: Select**Resend**.

* Edit the user's email address: Select**Edit**.

* Change the role: From the**Role** dropdown, select the new role.

* Change SSO provider: From the**SSO** dropdown, select the new SSO provider.

* Remove the user account: Select**Delete**.

Once you add a user to your Codefresh account, you have the following options in the context menu of the user in the Users page.

***Edit**: Edit user's email address, change the role, or select a new SSO provider.

***Delete**: Remove the user account.

Teams are users who share the same permissions, roles, or requirements defined according to company processes. Teams allow you to enforce access control through ABAC (Attribute Based Access Control).

By default, there are two teams:

Teams are users who share the same permissions, roles, or requirements, defined according to company processes.

You first create a team and then invite users to it. You can then view the service accounts the user is assigned to, if any.

{% if page.collection != site.gitops_collection %}

* Users

* Admins with users[invited as collaborators](#assign-a-user-to-a-team)

As part of the global pipeline settings for an account, when creating a team, you can also automatically create a project and a project tag with the same name as that of the team. Enabling**auto-create projects for teams** (disabled by default), simplifies permissions setup for pipelines and projects, as it also creates a Read rule for the project. See[Auto-create projects for teams]({{site.baseurl}}/docs/pipelines/configuration/pipeline-settings/#auto-create-projects-for-teams).

{% endif %}

Createa team in Codefresh and then assign users to the team. You can assign the same user to multipleteams, asinmost companies, users have overlapping roles.

1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**User Management**.

1.From thesidebar, select**Users & Teams**.

1.Select**Teams**, and thenselect**Create a Team**.

1. Enter the**Team Name**.

Create multiple teams in Codefresh.

1.In theCodefresh UI, on the toolbar, click the**Settings** icon.

1.From the sidebar, select**Teams**, and thenclick**Add Team**.

1. Enter the**Team Name** and click**Create**.

See the screenshot below for some sample team names.

{% include image.html

lightbox="true"

file="/images/administration/access-control/teams.png"

url="/images/administration/access-control/teams.png"

alt="Examples of teams in Codefresh"

caption="Examples of teams in Codefresh"

max-width="80%"

%}

1. To assign users to the team, do the following:

1. Hover over the team name and click the**Settings** icon.

1. Click**Invite to team**, type the email address of the user to invite, and then click**Add**.

1. To change the name of the team, click**Edit** and type the new name.

Add one or more users to a team. You can assign the same user to multiple teams, as in most companies, users have overlapping roles.

1. In the Codefresh UI, on the toolbar, click the**Settings** icon.

1. From the sidebar, select**Teams**, and then click the team to which to add users.

1. Click**Add to team**, and select the user from the list.

1. Click**Add**.

You can change the name of the team, delete the team, or remove users from a team .

***Remove user from team**: Click the team name and from the user's context menu, select** user's email address, change the role, or select a new SSO provider.

***Delete**: Remove the user account.

As an administrator, you can optionally define session timeouts to automatically log out users who have been inactive for the specified duration, and restrict invitations to specific email domains.

1. In the Codefresh UI, on the toolbar, click the**Settings** icon, and then select**Account Settings**.

1. From the sidebar, select**Users & Teams**.

1. Select**Security**.

1. For**User Session**, add the timeout duration in minutes/hours/days.

1. To restrict invitations to specific email domains, below User Invitations, turn on**Restrict inviting additional users..** and then in the**Email domains**, type in the domains to allow, one per line.

{% include image.html

lightbox="true"

file="/images/administration/access-control/security-timeout.png"

url="/images/administration/access-control/security-timeout.png"

alt="Security timeout"

caption="Security timeout"

max-width="90%"

%}

[Single sign-on]({{site.baseurl}}/docs/administration/single-sign-on/)

[Configuring access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

[Access control for GitOps]({{site.baseurl}}/docs/administration/account-user-management/gitops-abac/)

{% if page.collection != site.gitops_collection %}

[Setting up OAuth authentication for Git providers]({{site.baseurl}}/docs/administration/account-user-management/oauth-setup)

[Configuring accesscontrol for pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/)

[Accesscontrol for pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control-pipelines/)

{% endif %}

[Codefresh installation options]({{site.baseurl}}/docs/installation/installation-options/)

[Codefresh API integration]({{site.baseurl}}/docs/integrations/codefresh-api/)