Skip to content

Organizations & Roles

Catalyst Networks is multi-tenant: an organization is the container for a network, its certificate authority, its nodes, and its members. Every user can belong to multiple organizations, and access within each is governed by role-based access control (RBAC).

Creating an Organization

Creating an organization is a single form (Organizations → Create) that also bootstraps the network in one step. When you submit it, the app:

  1. Creates the organization and makes you its owner.
  2. Creates a network range from the CIDR you provide (private ranges and CGNAT 100.64.0.0/10 are allowed).
  3. Creates a Certificate Authority for the org by running nebula-cert (valid for one year) using the CA name you supply.
  4. Optionally creates a lighthouse node if you tick “create lighthouse” and give it a name — it is assigned the .1 address in your network range and issued a certificate.
FieldPurpose
NameOrganization name (also becomes the URL slug)
DescriptionOptional free-text description
Network CIDRThe overlay network range (e.g. 192.168.100.0/24)
CA nameName for the organization’s Certificate Authority
Create lighthouse / Lighthouse nameOptionally provision a lighthouse node at .1

Organization creation may be subject to a plan limit on how many organizations your account can own.

Roles

Membership is tracked per user, per organization, with exactly three roles. There is no read-only “viewer” role.

RoleCapabilities
OwnerEverything an admin can do, plus deleting the organization. The creator of an org is its owner.
AdminManage members and invitations (add, invite, change roles, remove), manage network ranges, configure SSO, and manage the network’s resources (nodes, certificates, security groups, webhooks). Cannot delete the organization.
MemberAccess the organization and its resources, but cannot manage members, network ranges, or SSO.

A few rules the app enforces regardless of role:

  • You cannot change your own role.
  • You cannot remove yourself from an organization.
  • Only an owner can delete an organization.

Owners and admins share most administrative permissions; the practical difference is that org deletion is reserved for owners. When changing a member’s role, owners and admins may set any of the three roles (including promoting someone to owner).

Inviting and Managing Members

Member management lives under Members (/organizations/<slug>/members/) and is restricted to owners and admins. You have two ways to add someone:

  • Invite by email — creates a pending invitation and sends an email with an accept link.
  • Add member — if an account with that email already exists, they are added to the organization immediately; if not, it falls back to sending an invitation.

Both flows let you choose the role the person will receive.

The invitation lifecycle

  1. Create — An owner/admin invites an email address and picks a role. The invitation is locked to that exact email address and expires after 7 days.
  2. Deliver — An email is sent. If delivery fails, the invitation is still created and you are warned to reach the person another way. You can resend a pending invitation.
  3. Accept — The recipient opens the invite link:
    • If they are not signed in and already have an account, they are sent to log in and returned to the accept page.
    • If they have no account yet, they are sent to register (with the invitation token attached).
    • The invitation only accepts if the signed-in user’s email matches the invited email (case-insensitive). On acceptance, a membership is created with the invited role.
  4. Revoke — An owner/admin can revoke any still-pending invitation.

Invitations move through the states pending → accepted / revoked / expired. Pending invitations that pass their expiry are marked expired.

Changing roles and removing members

From the Members page, owners and admins can change a member’s role or remove a member (subject to the “not yourself” rules above). These actions update the membership immediately.

Next Steps