Manage users

To collaborate with others on projects in Astra, you can add users to your Astra organization.

To manage users, you need an application token or user role with the necessary permissions, such as the Organization Administrator role.

Add a user

  • Astra Portal

  • DevOps API

  • Add a user to an organization

  • Add a user to an enterprise

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to invite a user.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

  3. In the Settings navigation menu, click Users.

  4. Click Invite User.

  5. Enter the email address of the user you want to invite.

    The user must use this email address to sign in to Astra. If the user has an Astra account, make sure this email address matches the user’s existing account.

  6. Select the roles that you want to assign to the user.

    After the user accepts your invitation, you can edit their roles as needed.

  7. Click Invite User to send an email invitation to join your organization. For more information, see Accept the invite.

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization or enterprise, and then select your enterprise.

  3. In the Settings navigation menu, click Users.

  4. Click Invite User.

  5. Enter the user’s email address.

    The user must use this email address to sign in to Astra. If the user has an Astra account, make sure this email address matches the user’s existing account.

  6. Select enterprise roles to assign to the user.

  7. Click Invite User to send an email invitation to join your enterprise. For more information, see Accept the invite.

    Inviting a user to your enterprise does not add the user to any organizations in your enterprise. If a user requires enterprise and organization access, you must add them to the enterprise and each organization.

To invite a user to an organization, use PUT /v2/organizations/users:

curl -sS -L -X PUT "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "email": "USER_EMAIL",
  "orgID": "ORGANIZATION_ID",
  "roles": [
    "ROLE_ID",
    "ROLE_ID"
  ]
}'

Replace the following:

  • APPLICATION_TOKEN: Your application token.

  • USER_EMAIL: The user’s email address.

  • ORGANIZATION_ID: Your organization ID.

  • ROLE_ID: One or more roles to assign to the user. To get role IDs, use GET /v2/organizations/roles.

Accept the invite

To accept an invitation, the invited user must sign in to Astra with the same email address that received the invitation.

The user can log in through SSO, as long as their IdP profile, Google account, or GitHub account has the same email address as the Astra invitation. Alternatively, the user can create a new account with the same email address, and then log in to accept the invitation.

  • IdP

  • Google

  • GitHub

  • Username and password

You can sign in to the Astra Portal through your IdP if your Organization Administrator has enabled SSO.

Sign in to your IdP platform, select the Astra application, and then follow the prompts to sign in.

The first time you access the Astra application, you must review the DataStax terms and conditions.

Upon sign in, Astra determines if an account already exists for the email address associated with your sign-in credentials. If an account exists, you are signed in to your existing account. If an account does not exist, then Astra creates a new account automatically.

The default user session timeout is approximately two hours unless your administrator specifies a different timeout in the Astra application configuration in your IdP or your IdP has a different default timeout setting.

You can use your Gmail or Google Workspace account to create an Astra account and sign in to the Astra Portal.

The default user session timeout is approximately two hours.

You can use your GitHub account to create an Astra account and sign in to the Astra Portal.

To use GitHub for Astra authentication, you must have a public email address in your GitHub profile.

If you are a new user, make your email public before you create an Astra account.

If you are an existing user and you selected keep my email address private in your GitHub profile, you must make your email address public, and then change your password to switch to Astra local authentication. Alternatively, you can use another SSO option with the same email address as your GitHub account.

If you don’t want to make your email address public, you must use a different SSO option or username and password authentication.

The default user session timeout is approximately two hours.

If you can’t use SSO, you can sign in with a username and password.

If you don’t already have an Astra account under the email address that you were invited with, you must create a new account with that email address:

  1. Navigate to the Astra Portal.

  2. On the Sign In page, click Sign Up.

  3. Follow the prompts to create your account. Make sure to use the same email address that received the invitation.

  4. After you create your account, follow the link in the invitation email to accept the invitation.

  5. After you accept the invitation, you can switch to the organization that you were invited to.

The default user session timeout is approximately two hours.

Get a list of users

  • Astra Portal

  • DevOps API

  • Get users in an organization

  • Get users in an enterprise

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to remove a user.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

  3. In the Settings navigation menu, click Users.

    The User management page lists all users in the organization.

    The Admin flag indicates users with the Organization Administrator.

    The Invited status means the user has a pending invitation to join the organization.

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization or enterprise, and then select your enterprise.

  3. In the Settings navigation menu, click Users.

    The User management page lists all enterprise-level users.

    The Admin flag indicates users with the Enterprise Administrator.

    The Invited status means the user has a pending invitation to join the enterprise.

Use GET /v2/organizations/users to get information about all users in an organization:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

The response includes the user ID, email address, status, and roles for each user:

{
  "OrgID": "ORG_ID",
  "OrgName": "ORG_NAME",
  "Users": [
    {
      "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ROLE_ID",
          "Name": "ROLE_NAME"
        }
      ]
    }
  ]
}

The invited status means an invitation was sent to the given Email, but the user hasn’t accepted the invitation.

Remove a user or revoke an invitation

Removing a user removes their access to your organization or enterprise, but it doesn’t delete their account.

The user retains their personal Astra account under their associated email address, including access to their default (personal) organization and any other organizations they belong to. The user can still access their personal Astra account, if they have access to the associated authentication method.

If your organization uses SSO, make sure that you also remove the user from your IdP, if necessary.

  • Astra Portal

  • DevOps API

  • Remove a user from an organization

  • Remove a user from an enterprise

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to remove a user.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

  3. In the Settings navigation menu, click Users.

  4. Find the user you want to remove, click More, and then select Delete.

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization or enterprise, and then select your enterprise.

  3. In the Settings navigation menu, click Users.

  4. Find the user you want to remove, click More, and then select Remove User.

    This removes the user from your enterprise only. If applicable, you must also remove the user from each organization in your enterprise.

You can use the DevOps API to remove a user from an organization.

  1. Use GET /v2/organizations/users to get the user ID of the user you want to remove:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    The response includes information for all users in the organization. Copy the UserID of the user you want to remove.

    {
  "OrgID": "ORG_ID",
  "OrgName": "ORG_NAME",
  "Users": [
    {
      "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ROLE_ID",
          "Name": "ROLE_NAME"
        }
      ]
    }
  ]
}

  2. Use DELETE /v2/organizations/users to remove the user:

    curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

  3. Use GET /v2/organizations/users/USER_ID to verify the user was removed:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A 404 Not Found status code indicates that the user was removed.

Edit a user’s role assignment

Follow these steps to change the roles that are assigned to a specific user.

For information about default roles, custom roles, and specific permissions, see Manage roles and permissions.

  • Astra Portal

  • DevOps API

  • Edit a user in an organization

  • Edit a user in an enterprise

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to edit a user.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

  3. In the Settings navigation menu, click Users.

  4. Find the user you want to edit, click More, and then select Edit User.

  5. Select the default and custom organization roles to assign to the user, and then click Update User.

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization or enterprise, and then select your enterprise.

  3. In the Settings navigation menu, click Users.

  4. Find the user you want to edit, click More, and then select Edit User.

  5. Select the default and custom enterprise roles to assign to the user, and then click Update User.

You can use the DevOps API to edit the roles assigned to a user in an organization.

A user’s role list is a desired state list. When you use the DevOps API to edit a user’s roles, you must include all roles that you want the user to have. This includes all currently assigned roles you want to keep plus any new roles you want to add.

  1. Use GET /v2/organizations/users to get the user ID of the user you want to edit:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    The response includes information for all users in the organization. Copy the UserID of the user you want to edit.

    {
  "OrgID": "ORG_ID",
  "OrgName": "ORG_NAME",
  "Users": [
    {
      "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ROLE_ID",
          "Name": "ROLE_NAME"
        }
      ]
    }
  ]
}

  2. Use GET /v2/organizations/users/USER_ID to get the roles currently assigned to the user:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    The response includes information for the specified user. In the Roles object, copy the ID of each currently assigned role that you want to keep. You don’t need the ID for roles that you want to remove from the user.

    {
  "UserID": "USER_ID",
  "Email": "USER_EMAIL",
  "Status": "active",
  "Roles": [
    {
      "ID": "ad0566b5-2a67-49de-89e8-92258c2f2c98",
      "Name": "Organization Administrator"
    }
  ]
}

  3. If you want to assign new roles to this user, use GET /v2/organizations/roles to get the IDs for those roles:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/roles" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    The response includes information about all default and custom roles in your organization. Copy the id for each role that you want to assign to the user.

    Result

    The following example is truncated for clarity.

    [
  {
    "id": "b4ed0e9e-67e8-47b6-8b58-c6629be961a9",
    "name": "R/W Svc Acct",
    "policy": {
      "description": "R/W Svc Acct",
      "resources": [
        ...
      ],
      "actions": [
        ...
      ],
      "effect": "allow"
    },
    "last_update_date_time": "0001-01-01T00:00:00Z",
    "last_update_user_id": ""
  },
  {
    "id": "43745b73-ad46-46e4-b826-c15d06d2cea0",
    "name": "Admin User",
    "policy": {
      "description": "Admin User",
      "resources": [
        ...
      ],
      "actions": [
        ...
      ],
      "effect": "allow"
    },
    "last_update_date_time": "0001-01-01T00:00:00Z",
    "last_update_user_id": ""
  },
]

  4. Use PUT /v2/organizations/users/USER_ID/roles to edit the user’s assigned roles. The body is a roles array containing a comma-separated list of role ID strings.

    The roles array is a desired state list. You must include all roles that you want the user to have, including currently assigned roles and new roles.

    curl -sS -L -X PUT "https://api.astra.datastax.com/v2/organizations/users/USER_ID/roles" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
-- data '{
  "roles": [
    "ROLE_ID",
    "ROLE_ID"
  ]
}'

    A successful request returns a 204 No Content status code.

  5. Optional: To review the user’s updated role list, use GET /v2/organizations/users/USER_ID.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com