Deco
decocms

User Management

Control who can access your organization and what they're allowed to do

How access control works

deco CMS helps you manage who can do what in your organization. Think of it like managing access to a shared Google Drive or Slack organization—you decide who’s on your team and what they can do.

There are two main ways to control access:

  • Team member roles — What people in your organization can do (view, edit, manage settings, etc.)
  • API key permissions — What automated systems or external tools can do when they connect to your organization

Team roles

When you create an organization, you automatically get three roles to assign to team members:

  • Owner: Full control over everything, including deleting the organization or removing team members
  • Admin: Can manage day-to-day operations like adding connections, creating agents, and inviting users
  • User: Basic access to view and use existing connections (great for team members who just need to work with what’s already set up)

Creating custom roles

Need something more specific? You can create custom roles tailored to your team’s needs.

Example: Create a “Developer” role that can manage connections and agents but can’t delete anything, or a “Viewer” role that can only see what’s configured without making changes.

To create a custom role:

  1. Go to Members in your organization
  2. Click Manage Roles
  3. Click Create Role
  4. Give it a name (like “Developer” or “Support Team”)
  5. Select which actions this role should be allowed to perform

Tip: Start with the least amount of access needed and add more permissions as needed. It’s easier to grant more access later than to deal with accidental changes or deletions.

API key permissions

API keys let external tools or automated systems access your organization without requiring someone to log in. When you create an API key, you choose exactly what it’s allowed to do.

Example use cases:

  • A monitoring system that only needs to read connection status
  • A deployment script that needs to create new connections
  • A third-party integration that should only access specific agents

Best practice: Give each API key only the permissions it actually needs. If a script only reads data, don’t give it permission to delete things.

Where to manage access

You’ll work with these settings in a few different places:

  • Members page: Invite teammates, assign roles, and create custom roles
  • API Keys page: Create keys for automated tools and set their permissions
  • Agents page: Control which tools and connections each agent can access (useful for limiting what AI assistants or automation can do)

Practical examples

Give a team member admin access

When: You want someone to help manage connections and invite new team members

  1. Go to Members
  2. Find the person’s name
  3. Click their current role (probably “User”)
  4. Select Admin

Create an API key for a monitoring tool

When: You have a system that needs to check if your connections are working

  1. Go to API Keys
  2. Click Create API Key
  3. Give it a name like “Status Monitor”
  4. Select only “View Connections” permission
  5. Copy the key and use it in your monitoring tool

Set up a “Read-Only Analyst” role

When: You have team members who need to see configurations but shouldn’t change anything

  1. Go to MembersManage Roles
  2. Click Create Role
  3. Name it “Read-Only Analyst”
  4. Select only viewing permissions (no create, update, or delete)
  5. Assign this role to the appropriate team members
Previous
Connection Proxy Endpoint
Connect MCP clients directly to upstream MCP servers through deco CMS
Next

Found an error or want to improve this page?

Edit this page