Before you start
Lamba separates Team Member console access from Project Member runtime access. A person may hold both memberships, but neither implies the other.
What you build
Use the member lifecycle model to decide how people enter your product:
| Flow | Membership affected | Default role behavior |
|---|---|---|
| Team invite | Team Member | Workspace role and optional Project console role |
| Project member invite | Project Member | Chosen Project role or built-in viewer |
| Public join | Project Member | Built-in viewer unless configured otherwise |
| Register | Project Member | Built-in viewer unless the flow chooses another Project role |
| Promote to Team Member | Team Member only | Does not assign Project roles |
Implementation steps
1) Identify the surface
Console access is for workspace operators. Runtime access is for the product's own users. Keep these decisions separate in product UI and docs.
2) Choose the correct role catalog
Use Workspace roles for workspace-wide console access, Project console roles for console access in a selected Project, and Project roles for runtime product access.
3) Preserve the starter role catalog
Project roles must always expose starter built-ins, including viewer, so a valid Project never has an empty role catalog.
4) Handle invite and join completion
After invite accept, public join, or register, read the resulting Project membership before showing runtime actions.
Security and operational notes
- Promotion changes console access only.
- Runtime users should not be stranded without a remaining sign-in path.
- Auth method changes must evaluate active runtime Project Members, not Team Members.
- Environment-specific auth settings should evaluate the selected environment's effective config.
Troubleshooting
If a user can enter the console but cannot use the runtime product, check Project Member access. If a runtime user can use the product but cannot enter the console, check Team Member access.
Related docs
- Roles and Permissions:
/docs/concepts/roles-permissions - Identity Model:
/docs/concepts/identity-model - Permissions Catalog:
/docs/reference/permissions-catalog