Manage user access to Cloud environments

You can manage access to Magento Commerce Cloud projects by adding users and assigning roles. Assign project-level roles to provide access to the entire project, and environment-level roles to set permissions per available environment. You can only add users that have a registered Magento account.

Adding or updating a user for a Magento Commerce Cloud environment triggers a site deployment, which takes your site offline until deployment completes. For Production environments, we recommend completing user administrative tasks during off-peak hours to prevent service disruptions.

Account owner role

The License Owner is the only user with the Account Owner role. This user can perform any task in any project or environment, including deleting it. The account is associated with the email address, name, and information for the person who registered the Magento Commerce Cloud account through the account creation process.

The account has super user access and additional capabilities for managing all aspects of your project and environments.

You cannot modify settings for the Account Owner user. If you need to change the Account Owner, submit a Magento Support ticket.

Project-level roles

You can assign the following project-level roles to users:

  • The Super user role grants administrator access to all environments. They can change settings and execute actions on any environment, including creating and restoring snapshots.

  • The Project reader role grants view access to all environments in a project. Users with this role cannot execute actions on any environment. However, you can update the configuration on each environment to add environment-level permission for users with Project reader access.

Environment-level roles

You can configure environment-level permissions for users with Project reader access, or add users to each environment and assign any of the following roles:

  • The Admin role grants access to change settings and execute actions on an environment, including merging with the parent environment.

  • The Contributor role grants access to push code to an environment and branch the environment.

  • The Reader role, also referred to as the viewer role grants view-only access to an environment.

Role management best practices

  • We recommend that you limit the project Super user role and environment Admin roles to as few users as possible.

  • When a development team works on a project, the team leader can be the project administrator who decides which roles to assign to team members. For example, the team lead might assign one team member as a Contributor to one environment, assign another as an Admin on a different environment, and assign the Reader role to the customer on the master environment.`

  • Assign the Contributor role to users who require view access to an environment as well as the capability to commit code and branch the environment.

An environment contributor can push code to the environment, but that user role does not have SSH access to the environment. By default, only environment administrators have SSH access. You can change this behavior by updating the access configuration in the .magento.app.yaml file to include ssh: contributor.

Manage users with the CLI

You can use the Magento Commerce Cloud command line client to manage users and integrate this with any other automated system.

Available commands:

  • magento-cloud user:add–add a user to the project
  • magento-cloud user:delete–delete a user
  • magento-cloud user:list [users]–list project users
  • magento-cloud user:role–view or change the user role

The following examples show how to add a user and configure the project and environment-level role, and how to how to modify project assignments and assigned user roles.

Add a user and assign roles:

  1. Add the user:

    1
    
    magento-cloud user:add
    
  2. Follow the prompts to specify the user email address, set the project and environment roles, and add the user:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    
    Enter the user's email address: alice@example.com
    
    Email address: alice@example.com
    
    The user's project role can be 'viewer' ('v') or 'admin' ('a').
    Project role [V/a]: a
    The user's environment-level roles can be 'viewer', 'contributor', or 'admin'.
    development environment role [V/c/a]: c
    Summary:
      Email address: alice@example.com
      Project role: contributor
    Adding users can result in additional charges.
    Are you sure you want to add this user? [Y/n]
    Adding the user to the project
    

    This operation triggers the Cloud build and deploy process, which takes your site offline until deployment completes. For Production environments, we recommend completing this operation during off-peak hours to prevent service disruptions.

    After you add the user, Magento sends an email to the specified address with instructions for accessing the Magento Commerce Cloud project.

The following example changes the environment-level role that is assigned to a user:

1
magento-cloud user:role alice@example.com --level environment --environment development --role admin

To list the available magento-cloud CLI commands, use the magento-cloud list command.

Manage users from the Project Web UI

You can add project-level and environment-level users from the Project Web UI, and use the Edit feature to modify permissions for an existing user. After you add a user, the user receives an email inviting them to join the Magento Commerce Cloud project with instructions for account registration and email verification.

Access the Project Web UI to add users:

  1. Log in to your Magento Commerce Cloud account.

  2. Click the Projects tab as the following figure shows.

    Click the projects tab to access your Cloud project

  3. Click the name of your project to open the Cloud project portal (Onboarding UI).

  4. Click Infrastructure access, and then click the Project Access (Web UI) link.

    Cloud project portal

  5. In the Project Web UI, add project-level users and environment-level users as needed.

Add a project-level user:

  1. In the Project Web UI, click the configure project gear icon next to project name in the top navigation bar.

    Configure the project

  2. In the Users tab, click Add User.

    Start creating users

  3. Complete the Add User form:

    Add users

    • Enter the user e-mail address.

    • Select the access for the account:

      For a project administrator account, select the Super User checkbox. This provides Admin rights for all settings and environments. If not selected, the account has only view options for all project environments.

    • Select permissions per specific environment (or branch) in the Integration environment: No access, Admin (change settings, execute action, merge code), Contributor (push code), or Reader (view only). When you add active environments, you can modify permissions per user.

  4. Click Add User.

    After you add project-level users, you must redeploy all environments to apply the changes. Adding a project user does not trigger the redeploy automatically.

Add an environment-level user:

  1. In the Project Web UI, select the environment, and then click the configure environment settings icon next to the environment name.

    Configure the environment

  2. Click the Users tab, then click Add User.

  3. Complete the Add User form:

    Add the user

    • Enter the user email address.

    • Select the user role from the dropdown menu: Admin, Contributor, or Reader.

    • Click Add User.

This operation triggers the Cloud build and deploy process, which takes your site offline until deployment completes. For Production environments, we recommend completing this operation during off-peak hours to prevent service disruptions.