Organization & access control
Organization management lives in the admin console under Account: Organization (/admin/organization), Access Control (/admin/rbac), and Settings (/admin/settings).
Organization page
Section titled “Organization page”The Organization page shows four KPIs at the top: Members, Pending invites, license Expires (or Perpetual license), and Seats remaining.
Members
Section titled “Members”The members table lists each Member with their Role and Joined date. Use Remove member to remove someone from the organization.
Inviting members
Section titled “Inviting members”- Open the Invite members sheet.
- Enter one or more email addresses. Emails that already belong to another organization are blocked.
- Choose the Default role applied to all invitees.
- Click Send invite.
Sent invitations appear in the Pending invites list until they are accepted. Each admin can create only one organization; the organization itself is set up during onboarding with a name and slug.
License
Section titled “License”The license card shows the license Status (Active, Expired, or Inactive), the Expires date, and the number of Seats (or Unlimited).
When the license expires, admin screens are blocked until the license is renewed.
nara ships with two built-in roles:
| Role | Purpose |
|---|---|
| Admin | Full access, including the admin console and access control |
| Member | Day-to-day use of chat, tickets, and assigned resources |
Built-in roles cannot be deleted or renamed. You can create custom roles with a name, a description, and a specific permission set, and assign them alongside the built-in roles.
Access Control
Section titled “Access Control”The Access Control page (/admin/rbac) governs who can use which resources. Its KPIs summarize Supporters, Active grants, Restricted resource families, and Ticket viewers.
Access modes
Section titled “Access modes”Each resource family — Agents, Tools, Tickets, Memory, and Memory folders — has an access mode:
- Open — everyone in the organization can use resources of this family.
- Restricted — only people or agents with an explicit grant can use them.
Admins always retain access regardless of the mode.
Ticket roles
Section titled “Ticket roles”Tickets use two dedicated roles:
| Ticket role | Capabilities |
|---|---|
| Supporter | View, update, assign, comment, delete closed tickets |
| Viewer | Read-only access |
Memory grants
Section titled “Memory grants”Memory access is granted per data type, and grants can target both People and Agents — an agent only reads memory types it has been granted. Memory folder grants cascade: granting a folder also grants everything inside it.
Access check
Section titled “Access check”Use the Access check (Explain) tool to verify a configuration: pick a User, a Resource kind, and a resource ID. The tool returns Allowed or Denied together with the reasons — which mode, role, or grant produced the decision.
Settings
Section titled “Settings”The admin Settings page (/admin/settings) contains two organization-wide controls:
- Automatic ticket assignment — an expert-router toggle that uses real user profiles to assign newly opened tickets to the best-matching person.
- Server token — generate a server token for edge connections. Use Generate (or Regenerate) and copy the token; it is shown only once. See API authentication & tokens for details.