Access (project-level IAM)¶
The Access tab is the project-scoped view of who can do what inside this specific project. It's the per-project counterpart to Organization → Members, and where most day-to-day IAM management actually happens.
For the IAM model and role definitions, see Roles & permissions. This page is about the Console mechanics — the page itself, what to click, common workflows.
Overview¶
Access tab — every member of this project, plus their project role, plus tag-scoped restrictions if any.
Four sub-tabs:
| Sub-tab | What lives here |
|---|---|
| Members | Users and service accounts assigned to this project, with their project-level role |
| Roles | The role catalog — built-in (Project Admin / Member / Read-only) + custom roles defined for this project |
| API tokens | Tokens scoped to this project (subset of the org-wide token list) |
| Activity | Recent access events: sign-ins, role changes, token issuance |
Administration¶
Adding a project member¶
Members → + Add member:
- Person — type the email of an existing org member (autocomplete shows matches)
- Role — Project Admin / Member / Read-only / a custom role
- Tag scope (optional, custom roles only) — restrict to resources with specific tags
- Note — short audit-friendly comment
Click Add. The user gets an email notification (subject to org-level settings) and immediate access.
Org membership comes first
You can only add to a project someone who is already a member of the parent organization. If you need to grant project access to a new person, invite them to the org first — see Users.
Changing a member's project role¶
Click the member's row → Change role → pick the new role. Effect is immediate — their next API call uses the new permissions.
Removing a project member¶
Member row → ⋯ → Remove from project. The user keeps their org-level membership; only their project access goes away.
For their tokens scoped to this project: a "soft revocation" runs after 24 hours unless you immediately click Revoke their project tokens.
Bulk operations¶
Tick multiple member rows for bulk role changes or removal — useful when reorganizing teams.
Custom roles in this project¶
Custom roles defined at the project level (or inherited from the org) appear in the Roles sub-tab. You can:
- View built-in role definitions (read-only)
- Define new project-scoped custom roles (preview)
- Edit existing custom roles
- View which members hold each role
A custom role can be scoped by tag selector — "this role only applies to resources with team=ml" — useful for fine-grained delegation.
Project API tokens¶
The API tokens sub-tab shows tokens that have access to this project, regardless of which user owns them. Useful for:
- Auditing what's currently authorised
- Revoking a leaked token without finding the owner first
- Confirming a service account is tokenised correctly for CI/CD
Issue new project tokens from this tab or from individual user's Account → API tokens page.
Activity feed¶
The Activity sub-tab is a project-scoped slice of the audit log:
- Sign-ins (with method: password / SSO / token)
- Role assignments
- Token issuance / revocation
- Failed auth attempts
For the full audit log including every API call, go to Account → Settings → Audit log at the org level (covered in Operational basics → Audit logs, coming next).
Operation¶
Common day-to-day workflows¶
| Scenario | Click path |
|---|---|
| New developer joins, needs full access to the dev project | Org → invite as Member; Project (dev) → Access → +Add → role Member |
| Contractor needs read-only audit access for 2 weeks | Org → invite as Read-only with expiry; Project → Access → +Add → role Read-only with tag scope environment=prod |
| Promote a Senior to project lead | Project → Access → ⋯ on their row → Change role → Project Admin |
| Off-board a leaver | Org → Members → suspend; their project access is auto-suspended too |
| Rotate a CI service account | Service account → Tokens → +New token; deploy; revoke old |
| Investigate "who created this resource?" | Activity tab → filter by resource ID |
Default policy template¶
When you create a new project, Cloud Digit can pre-fill member assignments from a policy template: org Admins get Project Admin automatically; all org Members get Member by default. Configure templates per org in Org Settings → Defaults → Project membership template.
Troubleshooting¶
| Symptom | Likely cause | Fix |
|---|---|---|
| User can sign in but doesn't see the project | Org member but not added to the project | Add them on the Access tab |
User can see the project but every action fails with 403 | Their role doesn't include the required permission | Confirm role; check the permission matrix |
| User Removed from project still has API tokens working | Soft-revocation 24h grace window; or service-account tokens not auto-revoked | Click Revoke project tokens explicitly |
| Custom role's tag scope not enforced | Resources don't carry the expected tags | Confirm tagging policy is enforced at create-time; back-fill tags |
| Activity feed missing entries | Project-scoped filter too narrow; or audit-log retention | Switch to org-level audit log; check retention setting |
Related¶
- Roles & permissions — role definitions and full permission matrix
- Users — org-level membership
- API tokens & service accounts
- Compliance & sovereignty
- SIEM — pushes Access events for full audit