Overview
Etlworks supports multi-user and multi-tenant environments.
You can:
- Create and manage users
- Assign roles and control access
- Organize work using tenants (isolated environments)
- Manage API users and API keys
Access
Users & Tenants: Top-right menu → PLATFORM → Users or Tenants
Switch tenant: Top-right menu → ACCOUNT → Select Tenant
Users
Create a user
- Open Users
- Click +
- Enter required fields
- Click Save
An invitation email is sent to the user with a link to complete setup.
Manage users
From the Users screen you can:
- Edit user details
- Deactivate users
- Resend invitation
Override Security Settings for User
Admins can override some of the global and/or account level security policies:
- Allow API key authentication. The API key can be used to authenticate the user when making a call to the user-defined and built-in API. The API key can be generated and assigned to the user with any role, including Admin. Account administrator can disable API keys for roles other than API user.
Admins and users can generate API keys if it is allowed.
Notes
- A valid email address is required
- Deactivated users cannot log in
Roles and permissions
Each user is assigned a role that defines their access.
| Role | Description | Scope |
| Super Admin | Full system access | All tenants |
| Administrator | Full control, including users and resources | Single tenant |
| Editor | Same as Administrator, except user management and global stats | Single tenant |
| Operator | Can run Flows and view data and statistics | Single tenant |
| Viewer | Read-only access | Single tenant |
| API User | Access only to API endpoints and own messages | Single tenant |
Important
- Only Super Admin has access to all tenants
- All other roles are limited to a single tenant
API users and API keys
API User role
Use this role for integrations that call user-defined APIs.
Characteristics:
- Limited access to UI: can only see own API messages
- Can only interact with API endpoints: users with API role cannot execute built-in APIs
Users with Administrator, Editor, and Operator roles can also call user-defined APIs, but API User is the most restricted and secure option.
API key
An API key is a long-lived authentication key that can be used instead of a JWT token when calling Etlworks APIs. API keys are opaque system-generated credentials. They can be non-expiring or issued with an expiration date, depending on system configuration.
Typical use cases:
- Calling Etlworks APIs
- Calling user-defined endpoints (listeners)
- SSO environments with password rotation
Any User can have API Key
- The API key can be generated and assigned to the user with any role, including Super Admin.
- The system administrator can can control API key authentication at multiple levels:
The system administrator can also disable API key authentication for roles other than API User.
Manage API key
API keys are managed from:
- user profile and
- user editor Security section
Create API key
To generate or regenerate an API key, click the generate API key button.
When enabled by configuration, the API key can be issued with an expiration period in days.
If a global or tenant Max API key TTL (days) safeguard is configured, the expiration becomes required and cannot exceed that limit.
Revoke API key
To revoke the API key, click the revoke API key button.
Copy API key to the system clipboard
To copy the API key to the system clipboard, click the copy API key to the clipboard button.
Show/Hide API key
To toggle between show/hide API, key click the show/hide API key button.
API Key Notes
- API keys can be non-expiring or time-bound
- Non-expiring API keys remain valid until revoked
- Expired API keys can no longer be used for authentication
- API keys can be used with any role, subject to system policy
- Admins can control API key authentication globally, per tenant, and per user
- Tenant settings can override global settings
- User-level API key authentication can override both tenant and global settings
Tenants
Important
- Tenants are available only on dedicated instances
- Tenants share the same infrastructure
Tenants Overview
Tenants are isolated workspaces within a single Etlworks instance.
Each tenant has its own:
- Users
- Flows
- Connections
- Formats
- Listeners
- Schedules
- Webhooks
Tenants are fully isolated from each other.
When to use tenants
Use tenants to:
- Separate environments (Development, Staging, Production)
- Isolate teams or customers
- Apply different access rules
- Delegate administration
Manage tenants
To manage tenants:
- Open Tenants
- Click + to create a tenant
You can:
- Create tenants
- Edit tenant settings (name, color theme)
- Deactivate tenants
Assign users to tenants
- Each user belongs to a tenant
- Tenant determines accessible resources
Change tenant for a user
- Log in as Super Admin
- Open Users
- Select a user Update the Tenant field
Switch tenants (Super Admin)
Super Admin users can switch tenants without logging out.
Switch tenant
- Open top-right menu
- Click Select Tenant
- Choose tenant
- Click Switch
After switching:
- You operate within that tenant
- Permissions behave as tenant Administrator
Set default tenant
You can set a default tenant for login.
Use this when:
- You work primarily in one tenant
- You want to avoid switching every time
Return to main account
To return to global context:
- Open Select Tenant
- Clear selection
- Click Switch
SSO user management
Available on dedicated instances.
When SSO is enabled:
- Users are matched by email
- Existing users are logged in
- New users are created automatically
New users are:
- Assigned to SSO Landing tenant
- Given Viewer role
Super Admin can:
- Move users to another tenant
- Assign appropriate roles
Summary
- Users define access
- Roles define permissions
- Tenants define isolation
- API users and keys enable secure integrations