Skip to content

Elevating IaC Workflows with Spacelift Stacks and Dependencies 🛠️

Register for the July 23 demo →

User Management»

Spacelift is made for collaboration. In order to collaborate, you need collaborators. User Management is an easy way to invite new members to your organization and manage their permissions, together with third-party integrations and group access. If you prefer to write a policy rather than using our UI, please check out Login Policies.


User Management doesn't affect GitHub organization or SSO admins and private account owners who always get admin access to their respective Spacelift accounts. This is to avoid a situation where a mistake in User Management locks out everyone from the account.


User Management works by setting one of the following roles for users, groups and integrations for selected Spaces.

  • Read - cannot create or modify stacks or any attachable entities, but can view them
  • Write - can perform actions like triggering runs, but cannot create or modify Spacelift resources
  • Admin - can create and modify stacks and attachable entities, as well as trigger runs


Users are individuals invited through their email and authenticated using your account's Identity Provider. Users can have personal permissions assigned.

IdP group mapping»

Group is a group of users as provided by your Identity Provider. If you assign permissions to a Group, all users that your Identity Provider reports as being members of a given group will have the same access, unless the user's permissions are higher than the ones they would get from being a member of a Group.

Invitation process»

New users can be invited through email by account admins and owners. Detailed instructions can be found on the Admin page of this documentation.

Once a user is invited, they will receive an email from Spacelift that will take them to your identity provider page.

invitation email containing a button to accept the invitation

Once the user authenticates with your identity provider, they will be redirected to the application.

Migrating from Login Policy»

If you were previously using Login Policy you can queue invites to User Management for your users while still having Login Policy enabled. Once you switch to the User Management strategy, the invites will be sent to your users' emails and allow them to sign in through your Identity Provider. Remember, that you can always go back if it turns out something was misconfigured.