Skip to content
Docs/Teams & Seats

Teams, Roles, and Seat Enforcement

Use organizations to collaborate safely. Seats gate write access across projects, API keys, and snapshots.

Where to manage

Team access Seat assignments API keys

At a glance

  • Org members need seats to write.
  • Admins manage invites, roles, and seats.
  • API keys are user-scoped for enforcement.

Organizations

Organizations let multiple users collaborate in a shared workspace. Team capabilities are enabled per workspace during the MVP period.

Device Management

vem tracks the devices (laptops, servers) connected to your account. Each device is identified by a unique ID and name to enforce workspace limits and provide better audit trails.

If you reach your device limit, you can disconnect old devices in your Profile settings or contact support for access changes.

Roles and permissions

Vem uses both organization-level and project-level roles to provide granular access control.

Organization Roles

Owner

Full control over workspace access, roles, seats, and project settings.

Admin

Manage invites, roles, and seat assignments.

Member

Read projects and write when a seat is assigned.

Read-only

View-only access. Cannot write even if seats are available.

Project Roles

You can further refine access on a per-project basis using the Permission Matrix on the Team page.

Owner

Full control over the project, including settings and deletion.

Admin

Can manage tasks, snapshots, and project-level team members.

Editor

Can create and edit tasks and push snapshots.

Viewer

Read-only access to project data.

Seat enforcement

Seats are assigned in Team. Write operations require a seat in the current org.

Seats apply to project creation, API key creation, and snapshot pushes. If you are an admin and seats are available, the system will auto-assign a seat the first time you perform a write.

Seat enforcement happens on the server. If no seat is assigned, the request is rejected with a clear error message.

Multi-Factor Authentication (MFA)

Protect your account and organization with Multi-Factor Authentication (TOTP). We strongly recommend all users enable MFA in their profile settings.

TOTP Support

Use apps like Google Authenticator or 1Password to secure your sign-in.

Recovery Codes

Generate and store recovery codes to maintain access if you lose your device.

Organization Enforcement

Admins can enforce MFA across the entire organization from the Settings page.

When MFA enforcement is enabled, members who have not enrolled in MFA will be restricted to read-only access until they set up their second factor.

Invites and onboarding

Admins can invite teammates by email from the Team page. A user must accept the invite before a seat can be assigned.

Invite flow

Send an invite with a role. Pending invites can be revoked by admins.

Role management

Admins can update roles for members (owner role excluded).

API keys and CLI access

API keys are user-scoped so we can enforce seat access. Reissue keys after enabling teams if you generated them before this feature.

If a key is missing user identity, snapshot pushes are rejected. If a user is not seated, they will receive a seat-required error.

Use the API Keys page to rotate keys, then run vem login <key> on the CLI.

Troubleshooting

  • No seat assigned: Ask an admin to assign a seat in Team.
  • Invite disabled: Workspace access is not enabled yet.
  • API key rejected: Reissue keys so they include your user identity.
  • Read-only role: Change role to Member or Admin to enable writes.