Accounts & Organizations
Every user in NetDefense has a personal account (email + password) that is separate from organization membership. A single account can belong to multiple organizations, each with a different role. An organization is the top-level container in NetDefense — all devices, policies, accounts, and configurations live inside an organization.
Authentication & Identity
Your account holds your personal identity (email, name, status). Use the auth me command to see your identity and which organizations you belong to.
ndcli auth meEmail: alice@netdefense.ioName: Alice UserStatus: ● ENABLEDCreated: 2026-02-20 17:42:17Updated: 2026-02-20 18:43:11
Organizations:╭─────────────┬───────────┬───────────┬─────────────────────╮│ Name │ Role │ Status │ Joined │├─────────────┼───────────┼───────────┼─────────────────────┤│ example-org │ superuser │ ● ENABLED │ 2026-02-20 17:51:12 │╰─────────────┴───────────┴───────────┴─────────────────────╯Organization Management
An organization groups everything together — think of it as a tenant or workspace. Each organization has a Registration Token, a shared secret used by devices running NDAgent to register themselves with the organization for the first time.
ndcli org describe example-orgName: example-orgStatus: ENABLEDDefault OU: productionCreated: 2026-02-20 17:51:12Updated: 2026-02-20 19:16:56
Statistics: Devices: 8 Members: 3 By Role: SU=1, RW=1, RO=1
Owners: • alice@netdefense.io
Registration Token: 9fc86b59-a821-465a-bb29-6ffd7f3a9165Organization Roles
Each account member is assigned one role that controls what they can do inside the organization:
| Role | Short | Permissions |
|---|---|---|
| Superuser | SU | Full control: manage members (invite, remove, change roles), manage all resources (devices, templates, snippets, VPNs, backups), approve devices, trigger syncs. Can do everything RW can do plus user management. |
| Read-Write | RW | Can view and modify resources: create/edit snippets, templates, OUs, VPN networks, trigger syncs, manage backups. Cannot manage other users’ roles or invitations. |
| Read-Only | RO | Can only view and list resources. Cannot create, modify, or delete anything. Useful for auditors or monitoring dashboards. |
Accounts
Organization accounts show all members and their current status. Invited members who have not yet accepted will show - for their name.
ndcli org account list╭─────────────────────┬────────────┬───────────┬───────────┬──────────────────╮│ Email │ Name │ Role │ Status │ Created │├─────────────────────┼────────────┼───────────┼───────────┼──────────────────┤│ alice@netdefense.io │ Alice User │ superuser │ ● ENABLED │ 2026-02-20 17:51 ││ bob@netdefense.io │ Bob User │ readwrite │ ● ENABLED │ 2026-02-20 17:53 ││ carol@example.com │ - │ readonly │ ◐ INVITED │ 2026-02-20 19:21 │╰─────────────────────┴────────────┴───────────┴───────────┴──────────────────╯Invitations
To add someone to your organization, you send them an invitation specifying their role. The invitee receives a notification and can accept or decline. Once accepted, they appear as a regular account member with the assigned role.
An invitation goes through these states:
| State | Meaning |
|---|---|
| INVITED | Waiting for the recipient to respond. |
| ENABLED | Accepted and active. |
| DECLINED | The recipient declined the invitation. |
Invitations are sent via ndcli org invite send <email> --role <SU|RW|RO>.
ndcli org invite listSent Invitations:╭───────────────────┬──────────────┬──────────┬───────────┬─────────────────────╮│ Email │ Organization │ Role │ Status │ Created │├───────────────────┼──────────────┼──────────┼───────────┼─────────────────────┤│ carol@example.com │ example-org │ readonly │ ◐ INVITED │ 2026-02-20 19:21:07 │╰───────────────────┴──────────────┴──────────┴───────────┴─────────────────────╯