Manage users

To collaborate with others on projects in Astra, you can add users to your Astra organization.

To manage users, you need an application token or user role with the necessary permissions, such as the Organization Administrator role.

You can use an IdP for Astra entitlement management and SSO. For more information, see Use SCIM for Astra entitlement management and Configure single sign-on for Astra.

Membership is separate for each organization and enterprise

With respect to user and role management, each organization and enterprise is isolated.

If you are the administrator for multiple organizations, you must manage each organizations' users separately. For example, you cannot use one API request to modify multiple organizations. Instead, you must send a separate request for each organization.

If a user needs access to multiple entities, you must invite them to each one separately. For example, if an enterprise user needs access to organizations in the enterprise, you must invite them to the enterprise and each organization. The user will receive a separate invitation for each entity, and they must accept all invitations to get access to each entity.

Enterprise users can view minimal details about the organizations in their enterprise, and they can add and remove organizations from the enterprise. However, they cannot manage individual resources in those organizations unless they are directly invited to each organization.

Add a user

You can use the Astra Portal and the DevOps API to invite users to an organization or enterprise.

Add a user in the Astra Portal

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the enterprise or organization that you want to manage.

    To view an organization that belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Users.

  4. Click Invite User.

  5. Enter the user’s email address.

    This email address is a unique identifier for an Astra account. If the user has an Astra account, make sure this email address matches the user’s existing account. If you enabled SSO, make sure this email address matches the email address in the user’s IdP profile. If the user doesn’t have an account and SSO isn’t enabled, then the user must create an Astra account using this email address.

  6. Select the roles that you want to assign to the user.

    You can assign any built-in and custom roles that exist in the selected organization or enterprise. After the user accepts your invitation, you can edit their roles as needed.

  7. Click Invite User to send an email invitation to join your organization or enterprise. For more information, see Accept the invite.

Add a user with the DevOps API

To invite a user to an organization or enterprise, use PUT /v2/organizations/users:

curl -sS -L -X PUT "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "email": "USER_EMAIL",
  "orgID": "ORGANIZATION_OR_ENTERPRISE_ID",
  "roles": [
    "ROLE_ID",
    "ROLE_ID"
  ]
}'

Replace the following:

  • APPLICATION_TOKEN: An application token with a role that has permission to invite users to the organization or enterprise.

  • USER_EMAIL: The user’s email address.

    This email address is a unique identifier for an Astra account. If the user has an Astra account, make sure this email address matches the user’s existing account. If you enabled SSO, make sure this email address matches the email address in the user’s IdP profile. If the user doesn’t have an account and SSO isn’t enabled, then the user must create an Astra account using this email address.

  • ORGANIZATION_OR_ENTERPRISE_ID: The ID of the organization or enterprise that you want to invite the user to.

  • ROLE_ID: One or more roles to assign to the user.

    You can assign any built-in and custom roles that exist in the specified organization or enterprise. To get role IDs, use GET /v2/organizations/roles. After the user accepts your invitation, you can edit their roles as needed.

A successful request generates an email invitation for the user to join your organization or enterprise. For more information, see Accept the invite.

Accept the invite

To accept an invitation, the invited user must sign in to Astra with the same email address that received the invitation.

The user can log in through SSO, as long as their IdP, Google, GitHub, or IBMid account has the same email address as the Astra invitation. Alternatively, the user can create a new account with the same email address, and then log in to accept the invitation.

Sign in with an IdP

You can sign in to the Astra Portal through your IdP if an Organization Administrator has enabled SSO.

Sign in to your IdP platform, select the Astra application on your IdP dashboard, and then follow the prompts to sign in.

The first time you access the Astra application, you must review the DataStax terms and conditions.

Upon sign in, Astra does the following:

  1. Attempts to find an existing Astra account by matching the email address associated with the user’s IdP profile.

    Existing accounts are granted access to the organization associated with the SSO configuration, in addition to any other organizations the account already belongs to.

    If the user was invited to the organization, then they are granted the role defined in their invitation. If the user was already a member of the organization, then they retain their existing role assignment.

  2. Creates a new account through Just-in-Time (JIT) provisioning if no matching account exists.

    JIT accounts are assigned a read-only role in the associated organization.

The IdP and SSO integration cannot edit Astra role assignments, with the exception of read-only roles for JIT provisioning. An Organization Administrator (or a similarly privileged user) must edit role assignments in Astra regardless of the user’s sign-in method.

The default user session timeout is approximately two hours. The timeout can vary if your IdP has a different default timeout setting, or the IdP administrator specifies a different timeout in the Astra application’s configuration.

Sign in with Google

You can use your Gmail or Google Workspace account to create an Astra account and sign in to the Astra Portal.

The default user session timeout is approximately two hours.

Sign in with GitHub

You can use your GitHub account to create an Astra account and sign in to the Astra Portal.

To use GitHub for Astra authentication, you must have a public email address in your GitHub profile.

If you are a new user, make your email public before you create an Astra account.

If you are an existing user and you selected keep my email address private in your GitHub profile, you must make your email address public, and then change your password to switch to Astra local authentication. Alternatively, you can use another SSO option with the same email address as your GitHub account.

If you don’t want to make your email address public, you must use a different SSO option or username and password authentication.

The default user session timeout is approximately two hours.

Sign in with IBMid

Sign in with IBMid to create an Astra account and authenticate with your IBMid credentials.

The default user session timeout is approximately two hours.

Sign in with a username and password

If you cannot use SSO, you can sign in with a username and password.

If you don’t already have an Astra account under the email address that you were invited with, you must create a new account with that email address:

  1. Navigate to the Astra Portal.

  2. On the Sign In page, click Sign Up.

  3. Follow the prompts to create your account. Make sure to use the same email address that received the invitation.

  4. After you create your account, follow the link in the invitation email to accept the invitation.

  5. After you accept the invitation, you can switch to the organization that you were invited to. If you were invited to an enterprise, you can access enterprise controls and information through Settings.

The default user session timeout is approximately two hours.

Get a list of users

You can use the Astra Portal and the DevOps API to view the users in an organization or enterprise, including their assigned roles and invitation status.

View users in the Astra Portal

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the enterprise or organization that you want to manage.

    To view an organization that belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Users.

    The User management page lists all users in the selected organization or enterprise.

    When viewing users in an organization, the Admin flag indicates users with the Organization Administrator. When viewing users in an enterprise, the Admin flag indicates users with the Enterprise Administrator.

    The Invited status means the user has a pending invitation to join the organization or enterprise.

Get users with the DevOps API

Use GET /v2/organizations/users to get information about all users in an organization or enterprise:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

The returned users depend on the scope of the application token:

  • Organization-scoped application tokens return the users in the token’s organization.

  • Enterprise-scoped application tokens return the enterprise users in the token’s enterprise. Enterprise-scoped tokens don’t return users in the organizations within the enterprise. You must send separate requests for each organization, with an appropriately scoped token, to get the users in those organizations.

The response includes the user ID, email address, status, and roles for each user:

{
  "OrgID": "ORGANIZATION_ID",
  "OrgName": "ORGANIZATION_NAME",
  "Users": [
    {
      "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ROLE_ID",
          "Name": "ROLE_NAME"
        }
      ]
    }
  ]
}

The invited status means the user has a pending invitation to join the organization or enterprise.

Edit a user’s role assignment

Use these steps to change the roles that are assigned to a specific user:

Edit a user in the Astra Portal

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the enterprise or organization that you want to manage.

    To view an organization that belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Users.

  4. Find the user you want to edit, click More, and then select Edit User.

  5. Select or deselect roles to modify the user’s role assignment.

  6. Click Update User.

Edit a user with the DevOps API

You can use the DevOps API to edit the roles assigned to a user in an organization or enterprise.

A user’s role list is a desired state list. When you use the DevOps API to edit a user’s roles, you must include all roles that you want the user to have. This includes all currently assigned roles that you want to keep plus any new roles that you want to add.

  1. Use GET /v2/organizations/users to get user’s ID and current role assignment:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    The response includes information for all users in the organization or enterprise associated with the provided application token:

    {
  "OrgID": "ORGANIZATION_ID",
  "OrgName": "ORGANIZATION_NAME",
  "Users": [
    {
      "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ROLE_ID",
          "Name": "ROLE_NAME"
        }
      ]
    }
  ]
}

  2. In the response, find the object that describes the relevant user. For example:

    {
  "UserID": "USER_ID",
  "Email": "USER_EMAIL",
  "Status": "active",
  "Roles": [
    {
      "ID": "ad0566b5-2a67-49de-89e8-92258c2f2c98",
      "Name": "Organization Administrator"
    }
  ]
}

    Copy the UserID field and, in the Roles array, copy the ID of each currently assigned role that you want to keep. You don’t need the ID for roles that you want to remove from the user.

    For a narrower response, you can use the userID from GET /v2/organizations/users with GET /v2/organizations/users/USER_ID`.

  3. Use PUT /v2/organizations/users/USER_ID/roles to edit the user’s assigned roles:

    curl -sS -L -X PUT "https://api.astra.datastax.com/v2/organizations/users/USER_ID/roles" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "roles": [
    "ROLE_ID",
    "ROLE_ID"
  ]
}'

    Replace the following:

    • USER_ID: The UserID that you copied from GET /v2/organizations/users.

    • APPLICATION_TOKEN: The same token that you used with GET /v2/organizations/users.

    • ROLE_ID: The roles array is a comma-separated, desired state list of role ID strings. You must include all roles that you want the user to have, including the ID values that you copied from GET /v2/organizations/users and any new roles that you want to assign to the user.

      To add roles, you can get available roles with GET /v2/organizations/roles. Use the same application token that you used with GET /v2/organizations/users, and then copy the returned id for each role that you want to assign to the user.

      curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/roles" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

      A successful request returns a 204 No Content status code.

  4. Optional: To review the user’s updated role list, use GET /v2/organizations/users/USER_ID.

Remove a user or revoke an invitation

Removing a user removes their access to your organization or enterprise, but it doesn’t delete their account.

The user retains their personal Astra account under their associated email address, including access to their default (personal) organization and any other organizations they belong to. The user can still access their personal Astra account, if they have access to the associated authentication method.

If your organization uses SSO or SCIM with Astra, make sure that you also remove the user from your IdP, if necessary.
Use the Astra Portal

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the enterprise or organization that you want to manage.

    To view an organization that belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Users.

  4. Find the user you want to remove, click More, and then select Delete.

  5. Enterprise users only: If you removed an enterprise user who also belongs to one or more organizations within the enterprise, repeat these steps to remove the user from each organization, if necessary.

    Removing the user at the enterprise level only removes their enterprise-level access. They retain their organization access until you remove them from each of those organizations.

Use the DevOps API

You can use the DevOps API to remove a user from an organization or enterprise:

  1. Use GET /v2/organizations/users to get the UserID of the user that you want to remove:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    The response includes information for all users in the organization or enterprise associated with the provided application token. Copy the UserID of the user you want to remove.

    {
  "OrgID": "ORGANIZATION_ID",
  "OrgName": "ORGANIZATION_NAME",
  "Users": [
    {
      "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ROLE_ID",
          "Name": "ROLE_NAME"
        }
      ]
    }
  ]
}

  2. Use DELETE /v2/organizations/users to remove the user:

    curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    Replace the following:

    • USER_ID: The UserID that you copied from GET /v2/organizations/users.

    • APPLICATION_TOKEN: The same application token that you used with GET /v2/organizations/users.

  3. Use GET /v2/organizations/users/USER_ID to verify the user was removed:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A 404 Not Found status code indicates that the user was removed.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM