Members & roles — bRRAIn Docs

Inviting members, changing roles, configuring SSO and SCIM, and managing service accounts in the Console.

Members & roles

The Members page in the Console is the single place to manage who has access to your organization and at what level.

The members table

The page opens to a table with one row per member. Columns:

  • Name — display name, with the email shown beneath in muted text.
  • Role — current role (one of seven; see Roles & permissions).
  • Scope — the zones, projects, or time-bounds limiting the role. "Organization-wide" if unrestricted.
  • MFA — green check if any MFA channel is enrolled, amber warning if not.
  • Last active — when this member last took an action.
  • Status — Active, Pending invitation, or Suspended.

You can sort by any column and filter with the search bar at the top. The filter is fuzzy — "ar" finds Archana, Arjun, and anyone with "ar" in their email.

Inviting members

Click + Invite member:

  1. Enter the email address. Multiple addresses can be comma-separated for bulk invites.
  2. Choose the role. The picker shows only roles you can grant (you can't grant a role higher than your own).
  3. Optionally add a scope:
    • Restrict to specific zones (one or many).
    • Restrict to a project tag.
    • Restrict to a time window (start date / end date).
  4. Optionally add a welcome message that appears in the invitation email.
  5. Send.

Pending invitations show in the table immediately. The recipient gets an email with a one-time accept link valid for 14 days. You can resend or revoke from the row's action menu.

Changing a role

Click the role pill on any row, pick the new role, confirm. The change is effective immediately.

You can't:

  • Change a role higher than your own.
  • Demote yourself.
  • Demote the last Sovereign (the system enforces having at least one Sovereign at all times).

Role changes appear in the audit log with both the old and new role and the actor.

Removing a member

Click the row action menu and pick Remove from organization. You'll be asked to confirm. The removed member loses access immediately. Any records they authored stay with the organization; their authorship is preserved.

If they're a Sovereign, you must transfer ownership to another Sovereign first.

Suspending a member

For when you want to pause access without removing the member entirely. Common during HR holds, suspected account compromise, or off-boarding investigations.

Suspended members can't sign in (they get a clear "your account is suspended" message), but they remain in the table and their authored data stays attributed. Unsuspend at any time from the same row.

Single sign-on (SSO)

SSO is available on Business and Enterprise tiers.

To enable:

  1. Go to Settings → Authentication → SSO.
  2. Pick your identity provider (Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, Ping, generic SAML 2.0).
  3. Follow the provider-specific setup wizard.
  4. Verify your domain ownership via DNS TXT record.
  5. Enable the SSO policy. You can run it side-by-side with password sign-in (recommended for the first few weeks) or enforce SSO-only.

Once enabled, members of your domain authenticate against your IdP and are mapped to bRRAIn members by email. SSO satisfies bRRAIn's MFA requirement automatically if your IdP enforces MFA.

SCIM provisioning

Available on the same tiers as SSO. SCIM lets your IdP push member create / update / delete events to bRRAIn so you don't have to manage two member lists.

From Settings → Authentication → SCIM, generate a SCIM token and paste it into your IdP's SCIM configuration. We recommend mapping IdP groups to bRRAIn roles via the group-to-role mapping table on that page.

SCIM sync runs continuously. New IdP users appear in your members table within seconds. IdP-side deactivation deactivates the bRRAIn member.

Service accounts (non-human members)

A service account is a member without a human behind it — used for automation, CI pipelines, robots, IoT devices, and SDK integrations.

From the Members page, + Add service account:

  1. Pick a name and a role.
  2. Choose the scope (often narrower than human members — single zone, single action set).
  3. Decide on an expiry: never, fixed date, or rotation interval.
  4. Generate the credentials. You'll see them once; copy them into your secrets store before closing the dialog.

Service accounts don't have email or MFA. They authenticate via long-lived bearer tokens or short-lived OIDC tokens (recommended for CI). All service-account actions are audit-logged with the account's name as the actor.

Bulk operations

Select multiple rows with the checkboxes:

  • Bulk role change.
  • Bulk scope change.
  • Bulk suspend or unsuspend.
  • Bulk remove.

Bulk operations create a single audit-log entry with the list of affected members.

Member directory export

A Sovereign can export the full member list as CSV from Settings → Export. The export includes everything in the table plus role-grant timestamps and invitation metadata.

Where to next