Organisations, Users, And Teams
Manage tenant structure, memberships, invitations, and RBAC responsibilities.
Organisations, Users, And Teams
Organisations are the top-level tenant boundary. Users belong to an organisation, teams belong to an organisation, and most governed resources are scoped to an organisation.
Roles
Odock uses four platform roles:
| Role | Scope |
|---|---|
SUPER_ADMIN | Global platform administration |
ORG_ADMIN | Full control inside one organisation |
MANAGER | Team-oriented control inside one organisation |
USER | Self-service and read-oriented access |
Team membership also has a role:
| Team member role | Meaning |
|---|---|
MANAGER | Manages that team for RBAC conditions |
MEMBER | Belongs to that team |
User Status
Users can be:
| Status | Meaning |
|---|---|
ACTIVE | User can use the platform |
PENDING | User has not yet been approved or completed access |
REVOKED | User access is disabled |
The RBAC condition helpers also include active, pending, and inactive terminology. The active database enum is ACTIVE, PENDING, and REVOKED.
Organisations
An organisation has:
- name,
- contact,
- status,
- branding JSON,
- policies JSON,
- providers,
- provider keys,
- models,
- MCP servers,
- teams,
- users,
- API keys,
- budgets,
- quotas,
- usage records.
The policies JSON is important because organisation-level routing enablement lives at:
{
"routing": {
"enabled": true
}
}The same column may also hold governance policies depending on the UI path used to edit it.
Teams
Teams group users and can own:
- team members,
- team-scoped API keys,
- budgets,
- quotas,
- usage records,
- MCP servers.
Team policies can also hold rate-limit/IP policy JSON. When the gateway resolves rate-limit policy for a request, team scope is evaluated after organisation scope and before API key scope.
Invitations
Invitations support:
- joining an existing organisation,
- creating an organisation draft,
- pending, accepted, revoked, and expired status,
- token hash storage,
- invited-by and accepted-by tracking.
Invitation API routes exist under both global and organisation paths, with public acceptance and completion routes under /api/invitations.
Practical Setup Order
For a new organisation:
- Create the organisation.
- Create or approve the organisation admin user.
- Create teams if the organisation needs team boundaries.
- Add users and team memberships.
- Configure providers and provider keys.
- Configure models.
- Create API keys for organisation, teams, or users.
- Grant API keys access to models and MCP servers.
- Add rate-limit policies, budgets, and quotas.
- Validate traffic through the playground.
- Monitor usage records and observability dashboards.
RBAC Behaviors To Remember
SUPER_ADMINcan use/admin/*and can access organisation workspaces.- Non-super admins cannot use
/api/admin/*. - Organisation routes require the path organisation to match the user's organisation.
- Managers need team context to create, update, or delete many team-owned resources.
- The server gateway does not use UI RBAC. Runtime client access is enforced by API keys, model/MCP grants, policies, budgets, quotas, and safety checks.