Skip to content

Organization & access control

Organization management lives in the admin console under Account: Organization (/admin/organization), Access Control (/admin/rbac), and Settings (/admin/settings).

The Organization page shows four KPIs at the top: Members, Pending invites, license Expires (or Perpetual license), and Seats remaining.

The members table lists each Member with their Role and Joined date. Use Remove member to remove someone from the organization.

  1. Open the Invite members sheet.
  2. Enter one or more email addresses. Emails that already belong to another organization are blocked.
  3. Choose the Default role applied to all invitees.
  4. Click Send invite.

Sent invitations appear in the Pending invites list until they are accepted. Each admin can create only one organization; the organization itself is set up during onboarding with a name and slug.

The license card shows the license Status (Active, Expired, or Inactive), the Expires date, and the number of Seats (or Unlimited).

When the license expires, admin screens are blocked until the license is renewed.

nara ships with two built-in roles:

RolePurpose
AdminFull access, including the admin console and access control
MemberDay-to-day use of chat, tickets, and assigned resources

Built-in roles cannot be deleted or renamed. You can create custom roles with a name, a description, and a specific permission set, and assign them alongside the built-in roles.

The Access Control page (/admin/rbac) governs who can use which resources. Its KPIs summarize Supporters, Active grants, Restricted resource families, and Ticket viewers.

Each resource family — Agents, Tools, Tickets, Memory, and Memory folders — has an access mode:

  • Open — everyone in the organization can use resources of this family.
  • Restricted — only people or agents with an explicit grant can use them.

Admins always retain access regardless of the mode.

Tickets use two dedicated roles:

Ticket roleCapabilities
SupporterView, update, assign, comment, delete closed tickets
ViewerRead-only access

Memory access is granted per data type, and grants can target both People and Agents — an agent only reads memory types it has been granted. Memory folder grants cascade: granting a folder also grants everything inside it.

Use the Access check (Explain) tool to verify a configuration: pick a User, a Resource kind, and a resource ID. The tool returns Allowed or Denied together with the reasons — which mode, role, or grant produced the decision.

The admin Settings page (/admin/settings) contains two organization-wide controls:

  • Automatic ticket assignment — an expert-router toggle that uses real user profiles to assign newly opened tickets to the best-matching person.
  • Server token — generate a server token for edge connections. Use Generate (or Regenerate) and copy the token; it is shown only once. See API authentication & tokens for details.