Organizations & Roles
Catalyst Networks is multi-tenant: an organization is the container for a network, its certificate authority, its nodes, and its members. Every user can belong to multiple organizations, and access within each is governed by role-based access control (RBAC).
Creating an Organization
Creating an organization is a single form (Organizations → Create) that also bootstraps the network in one step. When you submit it, the app:
- Creates the organization and makes you its owner.
- Creates a network range from the CIDR you provide (private ranges and CGNAT
100.64.0.0/10are allowed). - Creates a Certificate Authority for the org by running
nebula-cert(valid for one year) using the CA name you supply. - Optionally creates a lighthouse node if you tick “create lighthouse” and give it a name — it is assigned the
.1address in your network range and issued a certificate.
| Field | Purpose |
|---|---|
| Name | Organization name (also becomes the URL slug) |
| Description | Optional free-text description |
| Network CIDR | The overlay network range (e.g. 192.168.100.0/24) |
| CA name | Name for the organization’s Certificate Authority |
| Create lighthouse / Lighthouse name | Optionally provision a lighthouse node at .1 |
Organization creation may be subject to a plan limit on how many organizations your account can own.
Roles
Membership is tracked per user, per organization, with exactly three roles. There is no read-only “viewer” role.
| Role | Capabilities |
|---|---|
| Owner | Everything an admin can do, plus deleting the organization. The creator of an org is its owner. |
| Admin | Manage members and invitations (add, invite, change roles, remove), manage network ranges, configure SSO, and manage the network’s resources (nodes, certificates, security groups, webhooks). Cannot delete the organization. |
| Member | Access the organization and its resources, but cannot manage members, network ranges, or SSO. |
A few rules the app enforces regardless of role:
- You cannot change your own role.
- You cannot remove yourself from an organization.
- Only an owner can delete an organization.
Owners and admins share most administrative permissions; the practical difference is that org deletion is reserved for owners. When changing a member’s role, owners and admins may set any of the three roles (including promoting someone to owner).
Inviting and Managing Members
Member management lives under Members (/organizations/<slug>/members/) and is restricted to owners and admins. You have two ways to add someone:
- Invite by email — creates a pending invitation and sends an email with an accept link.
- Add member — if an account with that email already exists, they are added to the organization immediately; if not, it falls back to sending an invitation.
Both flows let you choose the role the person will receive.
The invitation lifecycle
- Create — An owner/admin invites an email address and picks a role. The invitation is locked to that exact email address and expires after 7 days.
- Deliver — An email is sent. If delivery fails, the invitation is still created and you are warned to reach the person another way. You can resend a pending invitation.
- Accept — The recipient opens the invite link:
- If they are not signed in and already have an account, they are sent to log in and returned to the accept page.
- If they have no account yet, they are sent to register (with the invitation token attached).
- The invitation only accepts if the signed-in user’s email matches the invited email (case-insensitive). On acceptance, a membership is created with the invited role.
- Revoke — An owner/admin can revoke any still-pending invitation.
Invitations move through the states pending → accepted / revoked / expired. Pending invitations that pass their expiry are marked expired.
Changing roles and removing members
From the Members page, owners and admins can change a member’s role or remove a member (subject to the “not yourself” rules above). These actions update the membership immediately.
Next Steps
- Web Dashboard Overview — the full map of the dashboard
- Single Sign-On (SSO) — let members log in through your identity provider, with automatic provisioning into a default role