Organization member invitations are available on .
Membership contract
Membership gives a person access to an organization. It does not automatically grant access to every restricted server unless the person is an organization admin or the server has a default role.| Property | Contract |
|---|---|
| Organization boundary | A user must be a member of the organization to access its Horizon resources. |
| Organization role | Admin or Member defines the user’s organization-level baseline. |
| Server access | Non-admin members need explicit server grants or server default roles. |
| API keys | User-owned API keys use the user’s current access. Removing the user removes the useful scope of those keys. |
| Removal | Removing a member removes their membership and explicit access grants in that organization. |
Use service accounts for durable automation. User-owned
keys should stop being relied on when that user leaves the organization.
Member lifecycle
The invitation is accepted
The person joins the organization after accepting the invitation and
completing sign-in.
Review usage
Use users, sessions, and request logs to understand how the member’s clients
interact with deployed servers.
Invitation states
| State | Meaning |
|---|---|
| Pending | The invitation has been sent but not accepted. |
| Accepted | The invited person joined the organization. |
| Expired | The invitation can no longer be accepted. Send a new invitation if needed. |
| Revoked | An admin canceled the invitation before it was accepted. |
Roles
| Role | Contract |
|---|---|
| Admin | Can manage organization settings and has full server access. |
| Member | Can access servers through explicit grants or server default roles. |
admin, editor, or viewer access to a
specific server. See Authorization for the full
resolution model.
Access changes
| Change | Effect |
|---|---|
| Promote member to admin | The user gains organization management access and full server access. |
| Demote admin to member | The user loses admin bypass and must rely on explicit server grants or defaults. |
| Remove explicit server grant | The user may still retain access through a server default role or organization admin role. |
| Remove member from organization | The user can no longer access organization resources. |
| Reinvite removed user | New membership does not automatically recreate all prior explicit server grants. |
Reviewing members
Review membership from two directions:- Organization view: who can sign in, who is admin, and who counts toward seats.
- Server view: who can access a specific server and with what role.
Operational guidance
- Give admin access only to people who should manage billing, organization settings, integrations, and access.
- Use explicit server grants for people who need access to restricted servers.
- Remove members promptly when they leave the organization.
- Use service accounts for automation instead of adding shared human accounts.
Related docs
Roles
Review the role model used by Horizon.
Authorization
See the full access resolution model for users and servers.