Account access

Access to Temporal Cloud is governed by role-based access control (RBAC). Within an account, each access principal, such as user, user group or service account, is assigned one or more account-level roles, and each role has a set of permissions. Each principal can only perform an action if they have a role that grants them the necessary permissions.

Within a Namespace, each principal is assigned one or more Namespace-level permissions, and each permission permits a set of actions. Each principal can only perform an action if they have a permission that grants them the necessary actions within the Namespace.

Temporal Cloud supports Security Assertion Markup Language (SAML) and System for Cross-domain Identity Management (SCIM) for integration with your organization's identity provider (IDP). SAML enables single sign-on (SSO) by allowing your identity provider to authenticate users into Temporal Cloud. SCIM automatically creates, updates, and removes users and groups in Temporal Cloud based on changes in your identity provider.

Temporal Cloud accounts

Accounts are the top-level container for access control. Each account has at least one user assigned the Account Owner role, which has full administrative permissions across the account, including users, billing and usage. An account is not an access principal itself.

When you sign up for Temporal Cloud without joining an existing account, you are automatically assigned the Account Owner role for a new account. You can then invite other users to join the account and assign them roles.

info

Multiple accounts can coexist on the same email domain. Each account can have its own independent SAML configuration, tied to its unique Account ID.

However, each email address can only be associated with a single Temporal Cloud account. If you need access to multiple accounts, you’ll need a separate invite for each one using a different email address.

Access principals

Temporal Cloud offers the following principals for access control:

Users - Manage individual user accounts and permissions
User Groups - Organize users into groups for simplified access management
Service Accounts - Configure service accounts for automated access

Integration with identity providers

Temporal Cloud supports SAML and SCIM for integration with your organization's identity provider (IDP).

SAML - Configure SAML-based SSO integration
SCIM - Use your IDP to manage Temporal Cloud users and access via SCIM integration

Frequently Asked Questions

Yes. Multiple Temporal Cloud accounts can coexist with users from the same email domain. Each account has its own independent SAML configuration, tied to its unique Account ID. We recommend configuring SAML for each account independently.

For a smoother login experience, you can configure SAML for each account separately and use IdP-initiated login: you click the relevant app tile in your identity provider's portal to access the Temporal Cloud account associated with your email address directly.

Can the same email be used across different Temporal Cloud accounts?

No — each email address can only be associated with a single Temporal Cloud account. If you need access to multiple accounts, you’ll need a separate invite for each one using a different email address.

Can I use Google or Microsoft SSO after signing up with email and password?

If you originally signed up for Temporal Cloud using an email and password, you won’t be able to log in using Google or Microsoft single sign-on.

If you prefer SSO, ask your Account Owner to delete your current user and send you a new invitation. During re-invitation, be sure to sign up using your preferred authentication method.

How do I complete the `Secure Your Account` step?

If you signed up to Temporal Cloud using an email and password, you're required to set up multi-factor authentication (MFA) for added security. Currently, only authenticator apps are supported as an additional factor (such as Google Authenticator, Microsoft Authenticator, and Authy).

To proceed:

Download a supported authenticator app on your mobile device.
Scan the QR code shown on the Secure Your Account screen.
Enter the verification code from your app to complete MFA setup.
Securely store your recovery code. This code allows you to access your account if you lose access to your authenticator app.

Once MFA is configured, you’ll be able to continue using Temporal Cloud.

What if I lose access to my authenticator app?

If you lose access to your authenticator app, you can still log in by clicking Try another method on the MFA screen. From there, you can either:

Enter your recovery code (provided when you first set up MFA)
Receive a verification code through email

Once you're logged in, you can reset your authenticator app by navigating to My Profile > Password and Authentication and then clicking Authenticator App > Remove method.

How do I reset my password?

If you're currently logged in and would like to change your password, click your profile icon at the top right of the Temporal Cloud UI, navigate to My Profile > Password and Authentication, and then click Reset Password.

If you're not currently logged in, navigate to the login page of the Temporal Cloud UI, enter your email address, click Continue, and then select Forgot password. In both cases, you will receive an email with instructions on how to reset your password.

Temporal Cloud accounts​

Access principals​

Integration with identity providers​

Frequently Asked Questions​

Can multiple Temporal Cloud accounts share the same email domain?​

Can the same email be used across different Temporal Cloud accounts?​

Can I use Google or Microsoft SSO after signing up with email and password?​

How do I complete the Secure Your Account step?​

What if I lose access to my authenticator app?​

How do I reset my password?​