Members
A user is a global identity in LakeSail (one email, one set of credentials). A member is the org-scoped link between that user and your organization. Everything you do in LakeSail — ownership, audit trails, role assignments — is tracked against the member, not the user, so the same person can belong to multiple organizations cleanly.
This page covers the member lifecycle and the account-type distinction that determines who controls a member's profile.
How someone becomes a member
Two paths:
- Invitation. An admin sends an invite from Settings → Members. The invitee follows a signup flow (create account, verify email, optional 2FA) and lands as a member. See Invite teammates for the recipe.
- Self-signup with SSO. If your organization has an identity provider configured with auto-provisioning, a user who authenticates against it becomes a member automatically. See Single sign-on.
The member record is created on first signup or first SSO login, not when the invite is sent. An unaccepted invite is just a pending token; cancelling it doesn't affect anything.
Account types
Every member has an accountType, which determines who controls the user's profile.
| Type | Who controls the profile | Right for |
|---|---|---|
managed (default) | The organization | Employees — admins can reset passwords, force MFA enrollment, deactivate the account |
external | The user themselves | Consultants, contractors, partners — admins can grant access but can't change profile fields |
managed is the default for invited members. Pick external deliberately when the person isn't part of your org — it prevents accidental actions like resetting their password from the wrong direction.
What a member can do
A member's effective permissions come from three sources, layered:
- Organization roles assigned directly to the member (see Roles & permissions).
- Team roles for each team the member belongs to (additive across teams).
- Authorization policies that grant specific permissions on specific resources.
To answer "what can Alice do?", check all three. To grant Alice a new permission, add it at the layer that matches the scope — team-wide via a team role, single-resource via a policy.
Manage members
From Settings → Members:
- Search and filter — find members by name, email, status, or role.
- Edit — update profile fields (managed only), change account type, toggle enabled.
- Reset MFA — if a member loses their 2FA device, an admin can reset it (managed only). The member re-enrolls on next login.
- Reset password — admins can issue a password reset email (managed only).
- Disable / re-enable — turning
isEnabledoff blocks access without deleting the record. Past activity stays attached. - Remove — deletes the member from the organization. Past activity stays attached for audit; the underlying user (if external) keeps their account.
Leaving an organization
A member can be removed by an admin or, in some configurations, can leave on their own. Either way:
- The member loses access immediately.
- The user record stays — they keep their LakeSail login and any membership in other orgs.
- Resources the member created (jobs, queries, sessions) stay attached to the member ID for audit, but new activity from them stops.
If the member owned resources without a team assignment, transfer ownership before removing them. Otherwise the resources become unowned and only org admins can edit them.
Self-service
Members manage their own profile via Account settings:
- Update name and avatar.
- Manage email addresses (add, set primary, remove).
- Configure or reset their own MFA.
- Change password.
For managed accounts, profile fields like name and email may be controlled by the org — the self-service form shows what's editable.
API reference
- Members — list, describe, update, remove.
- Users — global user account management and self-service profile.
- Invitations — invite flow.
- MFA — admin reset and self-service MFA.