This tutorial assumes you have set
TRACECAT__AUTH_TYPES=basic
in your .env
file. For production deployments, we highly recommend using SAML
SSO or Google
OAuth.User Roles
Tracecat has a two-level permission system:Organization Roles
Role | Permissions |
---|---|
Admin | Has access to all API endpoints and all workspaces, can administer organization-level (platform) settings and management APIs (/organization ) |
Basic | Can only access workspaces they’ve been invited to and non-management APIs |
Workspace Roles
Role | Permissions |
---|---|
Admin | Can manage workspace membership, create/update/delete secrets, and all other workspace functions |
Editor | Non-management workspace functions |
Organization owner
The first user who logs into Tracecat is automatically assigned bothsuperadmin
and an organization admin role.
Important: Only the email address you specified during the initial setup (via env.sh
) can become the first superadmin.
Currently, the superadmin
role does not have any additional permissions beyond the organization admin role.
Security
Define theTRACECAT__AUTH_ALLOWED_DOMAINS
environment variable to restrict the email domains that can log into Tracecat.
For example, to restrict access to email addresses from tracecat.com
and example.com
, set the following:
Login as admin
1
Access Tracecat
Go to the Tracecat UI at 
http://localhost
and click the Sign up
button.

2
Sign up
Enter the superadmin email address you configured during setup and a password (minimum 12 characters).


3
🎉 Welcome
After signing up, you’ll be redirected to the default workspace as an organization admin.


Invite new users
To add new users to Tracecat, the user must first sign-up to Tracecat. They will be redirected to the following page:
1
Workspace members
Select the workspace you want to invite the user to, then under the settings
menu, click 
Manage members
. 
2
Add workspace member
Click the
The new
user will show up as: 
Add member
button, then enter the email address of the new user
that signed up. You can assign them either Workspace Admin
or Editor
role. 

3
Login as new user
The new user can now log into Tracecat using the email address and password
they used to sign up. They will be redirected to the workspace they were
invited to. 

Organization Admin Settings
Organization admins have the ability to:- View all users and sessions.
- View all workspaces and settings.
- Remove any non-admin user from any workspace.
- Revoke active sessions for any user.
- Manage organization-level settings.


Automatic workspace creation
By default, new users need to be invited to a workspace after registration. You can configure Tracecat to automatically create a workspace for new users when they sign up by enablingCreate workspace on signup
in the application settings.
