Users and project access
Nona includes user management and per-project access controls.
The repo also shows support for:
- invitations
- Google SSO
- Microsoft SSO
This gives teams a cleaner collaboration model than sharing one admin credential across every environment.
Why this matters
Section titled “Why this matters”Configuration systems become risky quickly when every operator shares one broad admin account.
Per-user access and project-level permissions help teams:
- reduce accidental edits
- keep ownership clear
- onboard collaborators more safely
- separate access between apps or teams
Invitations
Section titled “Invitations”The repo shows invitation-based onboarding support.
That matters because it gives teams a cleaner way to add people than manually handing around one credential.
A new user can be invited into the system and then granted access based on the projects they actually need.
In the current repo, an invitation can be completed through:
- password setup
- Google SSO
- Microsoft SSO
That is useful when you want onboarding to match the identity system your team already uses.
How to invite a user
Section titled “How to invite a user”In admin:
- sign in
- open
Users - click the invite action
- enter the user’s name and email
- choose the appropriate access or role
- send or copy the invitation link
With the CLI:
nona users create \ --name "Jane Doe" \ --user-email jane@example.com \ --role editorThe CLI returns the invitation result so you can deliver the invite to the teammate.
Project access
Section titled “Project access”Project access is important because Nona is designed around project boundaries.
That means access can follow the same boundary:
- one team can work on one project
- another team can work on a different project
- operators do not need access to everything by default
This is especially useful once one Nona instance serves multiple apps or services.
How to think about access
Section titled “How to think about access”A practical model is:
- one project per app or service boundary
- give each operator access only to the projects they actually work on
- use invitations instead of shared credentials
That keeps one Nona instance usable across multiple teams without turning it into a shared-admin free-for-all.
SSO support
Section titled “SSO support”The current repo shows support for:
- Google SSO
- Microsoft SSO
That helps teams fit Nona into existing identity workflows instead of forcing password-only administration for every user.
SSO does not bypass access control. It only changes how a user authenticates.
After sign-in, project access still determines what that user can see and edit.
How SSO and invitations work together
Section titled “How SSO and invitations work together”The repo’s SSO flow is stricter than “any valid Google or Microsoft account can log in.”
The system matches the SSO identity to a Nona user account by email. During invitation completion, the SSO email must match the invited email. On the first successful SSO login, Nona links that provider identity to the user for future sign-ins.
That gives you a safer model than open self-registration with external identity alone.
Good operating pattern
Section titled “Good operating pattern”For a real team setup:
- create the project structure first
- invite users individually
- grant access by project boundary
- review Audit logs after sensitive permission changes if needed
Does SSO bypass project access control?
Section titled “Does SSO bypass project access control?”No.
SSO only changes how a user authenticates. Project access still determines what the user can see and edit afterward.
Should I invite users instead of sharing one admin account?
Section titled “Should I invite users instead of sharing one admin account?”Yes.
Invitation-based onboarding and per-user access are much safer than sharing one broad admin credential.
Can access be limited by project?
Section titled “Can access be limited by project?”Yes.
Project boundaries are part of the intended access-control model, especially when one Nona instance serves multiple apps or teams.
What is the safest first collaboration model?
Section titled “What is the safest first collaboration model?”Create the project structure first, invite users individually, then grant each person only the project access they actually need.