Members
A user is a global identity in LakeSail (one email, one set of credentials). A member is the org-scoped link between that user and your organization. Ownership, audit trails, and role assignments are all tracked against the member rather than the user, so the same person can belong to multiple organizations without conflicts.
This page covers the member lifecycle and the account-type distinction that determines who controls a member's profile.
How someone becomes a member
Two paths:
- Invitation. An admin sends an invite from Settings → Members. The invitee follows a signup flow (create account, verify email, optional 2FA) and lands as a member. See Invite teammates for the recipe.
- Self-signup with SSO. If your organization has an identity provider configured with auto-provisioning, a user who authenticates against it becomes a member automatically. See Single sign-on.
The member record is created on first signup or first SSO login, not when the invite is sent. An unaccepted invite is just a pending token; cancelling it doesn't affect anything.
Account types
Every member has an accountType, which determines who controls the user's profile.
| Type | Who controls the profile | Right for |
|---|---|---|
managed (default) | The organization | Employees — admins can reset passwords, force MFA enrollment, deactivate the account |
external | The user themselves | Consultants, contractors, partners — admins can grant access but can't change profile fields |
managed is the default for invited members. Pick external deliberately when the person isn't part of your org. This prevents accidental actions like resetting their password from the wrong direction.
What a member can do
A member's effective permissions come from three sources, layered:
- Organization roles assigned directly to the member (see Roles & permissions).
- Team roles for each team the member belongs to (additive across teams).
- Authorization policies that grant specific permissions on specific resources.
To answer "what can Alice do?", check all three. To grant Alice a new permission, add it at the layer that matches the scope: team-wide via a team role, or single-resource via a policy.
Manage members
From Settings → Members:
- Search and filter — find members by name, email, status, or role.
- Edit — update profile fields (managed only), change account type, toggle enabled.
- Reset MFA — if a member loses their 2FA device, an admin can reset it (managed only). The member re-enrolls on next login. See MFA for the admin-reset flow and identity-verification caveats.
- Reset password — admins can issue a password reset email (managed only).
- Disable / re-enable — turning
isEnabledoff blocks access without deleting the record. Past activity stays attached. - Remove — deletes the member from the organization. Past activity stays attached for audit; the underlying user (if external) keeps their account.
Leaving an organization
A member can be removed by an admin or, in some configurations, can leave on their own. Either way:
- The member loses access immediately.
- The user record stays — they keep their LakeSail login and any membership in other orgs.
- Resources the member created (jobs, queries, sessions) stay attached to the member ID for audit, but new activity from them stops.
If the member owned resources without a team assignment, transfer ownership before removing them. Otherwise the resources become unowned and only org admins can edit them.
Self-service
Members manage their own profile via Account settings:
- Update name and avatar.
- Manage email addresses (add, set primary, remove).
- Configure or reset their own MFA.
- Change password.
For managed accounts, profile fields like name and email may be controlled by the org. The self-service form shows what's editable.
API reference
- Members — list, describe, update, remove.
- Users — global user account management and self-service profile.
- Invitations — invite flow.
- MFA — admin reset and self-service MFA.