Organizations & Teams
Multi-tenancy, roles, RBAC, invitations, and API keys
Organizations are the top-level container in oCore. They provide multi-tenant isolation, role-based access control, and team collaboration features. Every resource in oCore -- servers, projects, instances, deployments -- belongs to exactly one organization.
Multi-tenancy model
oCore is designed for multi-tenant operation. Each organization is completely isolated from others:
- Data isolation -- All database queries are scoped to the current organization using Ent privacy rules. Users cannot access resources in organizations they don't belong to.
- Resource isolation -- Servers, projects, instances, and deployments belong to a single organization.
- User membership -- A user can belong to multiple organizations, each with a different role.
When a user selects an organization in the dashboard, all API requests are automatically scoped to that organization through the tenant middleware.
Organization structure
An organization contains:
| Resource | Description |
|---|---|
| Members | Users with assigned roles |
| Roles | Permission sets defining what members can do |
| Servers | Linux machines managed by oCore |
| Projects | Groupings of environments and instances |
| Settings | Organization-level configuration |
| API keys | Keys for programmatic API access |
Roles and permissions
oCore uses role-based access control (RBAC) to manage permissions within an organization. Each organization has four built-in system roles:
| Role | Description | Typical use |
|---|---|---|
| Owner | Full access to all resources and organization settings, including billing, member management, and destructive operations | Organization creator, primary administrator |
| Admin | Full access to resources (servers, projects, instances) and member management. Cannot delete the organization or transfer ownership. | IT administrators, team leads |
| Developer | Can manage projects, environments, instances, and deployments. Cannot manage servers or organization settings. | Developers, Odoo consultants |
| Viewer | Read-only access to all resources. Cannot create, modify, or delete anything. | Stakeholders, clients, auditors |
Permission matrix
| Action | Owner | Admin | Developer | Viewer |
|---|---|---|---|---|
| View all resources | Yes | Yes | Yes | Yes |
| Manage servers | Yes | Yes | No | No |
| Manage projects | Yes | Yes | Yes | No |
| Deploy instances | Yes | Yes | Yes | No |
| Manage members | Yes | Yes | No | No |
| Manage roles | Yes | Yes | No | No |
| Organization settings | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
System roles are cloned into each organization during creation. This means each organization has its own independent copy of the role definitions, allowing future customization without affecting other organizations.
Team management
Inviting members
Organization Owners and Admins can invite new members:
- Navigate to Organization Settings > Members
- Click Invite Member
- Enter the email address and select a role
- The user receives an invitation email with a link to join
If the invited user does not have an oCore account, they will be prompted to create one before accepting the invitation.
Managing members
Owners and Admins can:
- Change roles -- Reassign a member's role (e.g., promote Developer to Admin)
- Remove members -- Remove a member from the organization (this does not delete their user account)
- View activity -- See a member's recent actions within the organization
Ownership transfer
The Owner role can be transferred to another member. This is a one-way operation -- the current Owner becomes an Admin after transferring ownership.
API keys
Organizations can create API keys for programmatic access to the oCore API. API keys are useful for:
- CI/CD integration -- Trigger deployments from CI pipelines
- Automation scripts -- Manage servers and instances programmatically
- Third-party integrations -- Connect external monitoring or management tools
Each API key:
- Belongs to a specific organization
- Has a name and optional description
- Has an expiration date (or no expiration)
- Can be revoked at any time
- Is shown once at creation -- store it securely
API keys have the same permissions as the user who created them. Treat them like passwords -- do not commit them to Git or share them in insecure channels.
Authentication
oCore supports multiple authentication methods:
| Method | Description |
|---|---|
| Email + Password | Standard registration with Argon2id password hashing |
| TOTP | Time-based one-time password for two-factor authentication |
| Recovery codes | 8 single-use backup codes for 2FA recovery |
| GitHub OAuth | Sign in with GitHub account |
| Google OAuth | Sign in with Google account |
| WebAuthn | Hardware security key authentication (passkeys) |
Two-factor authentication
oCore supports TOTP-based two-factor authentication. When enabled:
- The user scans a QR code with their authenticator app
- Eight recovery codes are generated (store these securely)
- Every login requires both password and TOTP code
- Recovery codes are single-use -- each code is consumed after validation
Further reading
- Quick Start: Create an organization -- Set up your first organization and invite members
- Servers -- Server management within an organization
- Projects & Environments -- Organizing work with projects