Skip to main content
Users in Zygo represent individual people in your organization. A single user account can belong to multiple tenants with different roles in each, giving you flexible access control across teams, departments, or clients.

Inviting Users

There are two ways to bring users into Zygo, depending on your access level.

Tenant Invitation

The most common way to add users. Tenant admins invite people by email — if the person already has a Zygo account, they’re added to the tenant immediately. If they don’t, an account is created for them and they receive an email with instructions to get started. When inviting a user, you assign their initial roles in the tenant. These can be changed at any time.

Platform-Level Creation

Superadmins can create user accounts directly from the platform user management page. This is useful for pre-provisioning accounts before assigning them to tenants, or for creating other superadmin accounts.

User Profiles

Every user has a profile that includes:
  • Email address — used for login and notifications
  • Display name — shown in the UI and on tickets, comments, and activity logs
  • License type — controls the user’s plan tier
  • Trial period — number of trial days remaining, if applicable
Users can update their own profile at any time. Superadmins can update any user’s profile.

Email Confirmation

New users must confirm their email address before accessing most features. This ensures that every account is tied to a real, verified inbox.
1

User receives a confirmation email

When an account is created, Zygo sends a confirmation email with a verification code.
2

User enters the code

The user enters the code in Zygo to verify their email address.
3

Access is granted

Once confirmed, the user can access all features available to their role.
A confirmation email can be re-sent by the user themselves, a superadmin, or an admin in a shared tenant. However, only the user themselves can enter the verification code — admins cannot confirm on someone else’s behalf.
Until their email is confirmed, users can only access the confirmation flow and a limited set of account setup endpoints. They cannot view tenant resources.

Passwords

Changing Passwords

Users can change their own password at any time from their account settings. The new password must be entered twice for confirmation.

Required Password Changes

Superadmins can flag a user’s account to require a password change on next login. When this is set, the user is redirected to the password change screen and cannot access any other page until they set a new password. This is useful for:
  • Initial account setup after an admin creates the account
  • Security incidents where passwords need to be rotated
  • Compliance policies that require periodic password changes

Account Status

User accounts can be in one of two states:
StatusBehavior
ActiveThe user can log in and access resources normally
DeactivatedThe user cannot log in. All sessions are effectively invalidated.
Deactivation is a soft delete — the account and all its data are preserved, but the user loses access. This is useful when someone leaves the organization or their access needs to be temporarily suspended. A superadmin can reactivate a deactivated account at any time, restoring full access.
Deactivating a user does not remove them from their tenants. If reactivated, they regain access to every tenant they were previously a member of, with the same roles.

Superadmin Capabilities

Superadmins have elevated controls over user accounts that regular users and tenant admins cannot access:
CapabilityDescription
Activate / deactivate accountsEnable or disable any user’s login access
Grant superadmin statusPromote a user to superadmin or revoke it
Tenant creation permissionsAllow or disallow a user from creating new tenants
Tenant limitSet the maximum number of tenants a user can own
View all usersBrowse and search across every user account in the platform
Create accounts directlyProvision new accounts without going through a tenant invitation
Superadmin is a platform-level privilege, not a tenant role. A superadmin automatically has full access to every tenant without needing to be added as a member.

Multi-Tenant Membership

A single user can belong to any number of tenants. Each membership is independent:
  • Different roles per tenant — a user might be an Admin in their own company’s tenant and a Viewer in a client’s tenant
  • Switching tenants — in the browser UI, users switch between tenants from the tenant selector. The active tenant determines which resources are visible.
  • API access — when using the API, the tenant is determined by the URL, so users can access any of their tenants without switching

Welcome Experience

New users see a welcome message on their first login that introduces the platform. This message can be dismissed and won’t appear again. This is handled per-user, so each person gets the onboarding experience once regardless of how many tenants they join.