This tutorial assumes you have set
TRACECAT__AUTH_TYPES=basic in your .env
file. For production deployments, we highly recommend using SAML
SSO or Google
OAuth.User Roles
Tracecat has a two-level permission system:Organization Roles
| Role | Permissions |
|---|---|
| Admin | Has access to all API endpoints and all workspaces, can administer organization-level (platform) settings and management APIs (/organization) |
| Basic | Can only access workspaces they’ve been invited to and non-management APIs |
Workspace Roles
| Role | Permissions |
|---|---|
| Admin | Can manage workspace membership, create/update/delete secrets, and all other workspace functions |
| Editor | Non-management workspace functions |
Organization owner
The first user who logs into Tracecat is automatically assigned bothsuperadmin and an organization admin role.
Important: Only the email address you specified during the initial setup (via env.sh) can become the first superadmin.
Currently, the superadmin role does not have any additional permissions beyond the organization admin role.
Security
Define theTRACECAT__AUTH_ALLOWED_DOMAINS environment variable to restrict the email domains that can log into Tracecat.
For example, to restrict access to email addresses from tracecat.com and example.com, set the following:
Login as admin
1
Access Tracecat
Go to the Tracecat UI at 
http://localhost and click the Sign up button.
2
Sign up
Enter the superadmin email address you configured during setup and a password (minimum 12 characters).
3
🎉 Welcome
After signing up, you’ll be redirected to the default workspace as an organization admin.
Invite new users
To add new users to Tracecat, the user must first sign-up to Tracecat. They will be redirected to the following page:
To invite the new user to a workspace, first log into Tracecat as an organization or workspace admin, then follow these steps:
1
Workspace members
Select the workspace you want to invite the user to, then under the settings
menu, click 
Manage members. 2
Add workspace member
Click the 
The new
user will show up as: 
Add member button, then enter the email address of the new user
that signed up. You can assign them either Workspace Admin or Editor
role. The new
user will show up as: 3
Login as new user
The new user can now log into Tracecat using the email address and password
they used to sign up. They will be redirected to the workspace they were
invited to. 
Organization Admin Settings
Organization admins have the ability to:- View all users and sessions.
- View all workspaces and settings.
- Remove any non-admin user from any workspace.
- Revoke active sessions for any user.
- Manage organization-level settings.
Automatic workspace creation
By default, new users need to be invited to a workspace after registration. You can configure Tracecat to automatically create a workspace for new users when they sign up by enablingCreate workspace on signup in the application settings.
When enabled, each new user will join as a workspace administrator.