Teams & Organizations

Create Organization

rf orgs create my-company

Invite Members

rf teams invite [email protected] --role admin
rf teams invite [email protected] --role developer
rf teams invite [email protected] --role viewer

Roles

Role	Deploy	Env Vars	Databases	Logs	Billing	Team Mgmt
Owner	✓	✓	✓	✓	✓	✓
Admin	✓	✓	✓	✓	✓	✓
Developer	✓	✓	✓	✓	✗	✗
Deployer	✓	Read	Read	✓	✗	✗
Viewer	✗	✗	✗	✓	✗	✗

Custom Roles

rf roles create qa-engineer \
  --allow deploy:staging \
  --allow logs:read \
  --allow env:read \
  --allow db:connect:staging \
  --deny deploy:production \
  --deny env:write:production

Project-Level Permissions

Restrict members to specific projects:

rf teams member [email protected] --projects my-saas,internal-tools --role developer

SSO (Single Sign-On)

SAML

rf sso configure saml \
  --entity-id https://myidp.com/entity \
  --sso-url https://myidp.com/sso \
  --certificate ./idp-cert.pem

OIDC (OpenID Connect)

rf sso configure oidc \
  --issuer https://accounts.google.com \
  --client-id xxx \
  --client-secret xxx

Supported identity providers: Okta, Azure AD, Google Workspace, OneLogin, Auth0, JumpCloud, and any SAML 2.0 / OIDC provider.

Enforce SSO

rf sso enforce --allow-cli-tokens

All web logins must go through SSO. CLI tokens and API keys remain valid for CI/CD pipelines.

API Tokens

Create scoped tokens for CI/CD, scripts, and integrations:

# Full access token
rf auth token create --name "CI Pipeline" --scope full

# Scoped token
rf auth token create --name "Deploy Bot" --scope deploy:production --expires 90d

# Project-scoped token
rf auth token create --name "Monitoring" --scope logs:read,metrics:read --project my-saas

✓ Token created: rf_tok_a8f3b2c1d4e5...
  Name: CI Pipeline
  Scope: full
  Expires: never

  ⚠ This token will only be shown once. Store it securely.

Token Management

# List tokens
rf auth token list

# Revoke a token
rf auth token revoke rf_tok_a8f3b2c1

# Rotate a token (create new, revoke old)
rf auth token rotate "CI Pipeline"

Use in CI/CD

# Set as environment variable
export RAIDFRAME_TOKEN=rf_tok_a8f3b2c1d4e5

# Use in GitHub Actions
rf deploy --token $RAIDFRAME_TOKEN

Activity Feed

See who did what across your organization:

rf activity --last 24h

TIME         ACTOR              ACTION                PROJECT
14:23        [email protected]  Deployed v43          my-saas
14:10        [email protected]    Set STRIPE_KEY        my-saas (production)
13:45        CI Pipeline        Deployed v12          internal-tools
12:00        system             Auto-scaled api 2→4   my-saas
11:30        [email protected]  Viewed logs           my-saas

Session Management

# View active sessions
rf auth sessions

# Revoke all sessions except current
rf auth sessions revoke --all-except-current

# Revoke specific session
rf auth sessions revoke sess_abc123

Access Control & SSO