Skip to main content
Manage team members, assign permissions, and control who has access to your Orion tenant. Users and Groups are managed from the same page.

Accessing User Management

User Management is available to tenant Admins. To access it:
  1. Click your username in the bottom-left corner
  2. Select Manage Users
The page has two tabs: Users (everyone in the tenant) and Groups (groups of users that share access to projects, data, and knowledge).
Manage Users page on the Users tab, with columns for User, Role, Project Access, and Groups
The Users table shows each user’s tenant role, the number of projects they can access, and the groups they belong to. Use the search box to filter by name, email, role, or project.

Inviting New Users

To invite a new team member to your Orion tenant:
  1. Navigate to Settings → Manage Users
  2. From the Users tab, click Invite user
  3. Enter the new user’s email address
  4. Choose the appropriate role
  5. Send the invitation
The new user will receive an email with instructions to complete their account setup. See User Onboarding & Invitations for more details.
To onboard a new user directly into a group, invite them from inside that group instead. Open the group, click Add member, then Invite by email — the invitee is automatically added to the group with the role you pick on first login. See Groups for details.

Tenant Roles

Every user has a tenant role that defines their baseline permissions across the entire tenant.

Admin

Full control of the tenant. Can invite users, create and manage groups, connect data sources, and assign users to projects.

Analyst

Can do just about anything within a project — chat, run analyses, and share projects. Cannot add existing users to other projects directly.

Viewer

Read-only access to approved projects and content. Cannot run analyses or make changes.
Carefully consider permission levels when inviting users, especially for administrative roles.

Tenant roles vs. group roles

If you use Groups, each user also has a group role in every group they belong to (Group Admin, Group Analyst, or Group Viewer). Group roles are independent of tenant roles and only apply inside that group — so a tenant Viewer can still be a Group Admin in a group they manage. For a side-by-side comparison of all six roles, see Groups → Roles at a Glance.

User Management Tasks

Administrators can:
  • Invite new users — add team members to the tenant
  • Assign tenant roles — control each user’s baseline permissions
  • Manage group membership — see which groups a user belongs to and their role in each
  • Modify permissions — update existing user roles
  • Deactivate users — remove user access while preserving history
  • Remove users — completely delete user accounts
  • Sudo as a user — temporarily act as another user to troubleshoot issues from their point of view

Best Practices

Follow the principle of least privilege: grant users the minimum permissions they need to do their job. For tenants using Groups, prefer group membership over direct project access — it’s easier to audit and easier to revoke when someone’s role changes.