Skip to content

Concepts

Understanding how b'nerd Cloud organizes identity and resources will make everything else click into place.

Accounts

An account represents a person. It has a login (email address), a display name, and belongs to one or more organizations. You authenticate as an account — all API tokens and JWT sessions are tied to an account.

Organizations

An organization is the top-level billing and access boundary. Every resource on the platform belongs to an organization. When you sign up you create both an account and a first organization at the same time.

Key properties:

  • Has one or more members (accounts with a role and permissions)
  • Has at least one account with the Admin role at all times — the platform will refuse an action that would remove the last admin
  • Is the scope for static API tokens — a token is valid within the organization it was created for
  • Is the billing entity: invoices, subscriptions, and payment methods are per organization

Projects

A project groups resources within an organization. Projects are a lightweight namespace: DNS zones, Kubernetes clusters, compute resources, and object storage users are created inside a project.

Projects exist mainly to separate environments (e.g. production, staging) or workloads within a single organization. They do not create separate billing boundaries — all projects within an organization share its quota and billing.

Memberships

A membership links an account to an organization and carries that account's role and permissions within that organization.

  • Role — either Admin or Member. Admins bypass all per-category permission checks. Members are restricted to the permissions explicitly listed on their membership.
  • Permissions — a set of allowed actions (read, create, update, delete) across eight resource categories: projects, openstack, garden, rgw, apps, billing, members, settings.

See Roles & RBAC for the full permission model and built-in presets.

Invitations

You add new members to an organization by sending an invitation to their email address. Invitations carry a role and permissions and expire if not accepted. Invitation lookup and accept/decline are the only unauthenticated API endpoints.

Summary

Account
  └── Membership ──► Organization
                          └── Project
                                └── Resources (servers, DNS zones, clusters, …)

One account can be a member of multiple organizations, each with different roles and permissions.