Appearance
Organizations
Organizations group your projects and control who has access to them. Every project belongs to an organization. Use organizations to separate clients, teams, or departments.
Team Access
Invite members and assign roles
Project Isolation
Each org has separate projects, servers, and environments
Role-Based Permissions
Owner, Developer, Support, Manager
Security
OAuth2, SSH certificates, webhook validation
Roles
Every organization has an Owner (the person who created it) and can have members with one of three roles:
| Role | Description |
|---|---|
| Owner | Full access to everything. Can invite members, manage all projects, environments, and servers. |
| Developer | Can view and update projects, manage environments (create, deploy, update variables), and view servers. |
| Support | Can view projects and servers, update files and variables, create and view environments. |
| Manager | Can view projects, environments, and servers. Read-only access. |
Permission Details
| Permission | Developer | Support | Manager |
|---|---|---|---|
| View projects | Yes | Yes | Yes |
| Update project files | Yes | Yes | - |
| Update project variables | Yes | Yes | - |
| View environments | Yes | Yes | Yes |
| Create environments | Yes | Yes | - |
| Update environments | Yes | - | - |
| Deploy environments | Yes | - | - |
| Update environment variables | Yes | - | - |
| View servers | Yes | Yes | Yes |
| Update server files | Yes | - | - |
Switching Organizations
You can be a member of multiple organizations. Only one is active at a time - all commands and views are scoped to it.
In the web interface: Click the organization name in the top navigation bar and select a different organization from the dropdown.
Using the CLI:
bash
# List your organizations
nebioncli org list
# See current organization
nebioncli org current
# Switch to a different organization
nebioncli org switchManaging Members
Only organization owners can invite or remove members.
- Go to the Organizations page
- Click Manage on your organization
- Click Invite Member
- Enter the member's email address and select a role
- Click Invite
INFO
The invited user must already have a Nebion account. The email address must match their registered account.
Best Practices
- Use separate organizations for different clients or teams
- Assign the Developer role to team members who need deployment access
- Use Support for team members who only need to update files and variables
- Use Manager for stakeholders who only need read access
- Regularly review organization membership
Security & Credentials
Security
Authentication
Nebion supports secure authentication methods:
- Web login - Username and password
- CLI login - OAuth2 with PKCE for secure command-line access
- SSH certificates - Short-lived certificates for container access
SSH Certificate Authentication
When connecting to containers via the CLI, Nebion uses SSH certificate authentication:
- Your CLI generates an Ed25519 keypair (stored in
~/.config/nebioncli/) - When connecting, the CLI requests a short-lived certificate from Nebion
- The certificate is valid for a limited time and specific to the requested server
- Your private key never leaves your machine
This is more secure than static SSH keys because certificates automatically expire and access can be revoked server-side.
Webhook Security
Webhooks between your Git provider and Nebion are secured using:
- Secret tokens - Each webhook has a unique secret for HMAC signature validation
- HTTPS - All webhook traffic is encrypted
- Signature verification - Nebion verifies every incoming webhook request
Environment Protection
Each environment is isolated:
- Unique domain - Each PR gets its own subdomain (e.g.,
pr-42.example.com) - Separate containers - Each environment runs in isolated Docker containers
- HTTP Basic Auth - Optionally protect environments with username/password
Credentials
What Nebion Stores
| Credential | Purpose | Storage |
|---|---|---|
| Deploy keys | Clone your repository | Encrypted in database |
| Server SSH keys | Connect to deployment servers | Encrypted file storage |
| Webhook secrets | Validate incoming webhooks | Encrypted in database |
What You Should Protect
Never commit to version control:
.envfiles with production secrets- Database credentials
- API keys or tokens
- SSH private keys
Use Nebion's environment variables to securely pass secrets to your deployments. See Variables for managing custom variables and credential best practices.
Recommendations
For organizations:
- Separate environments - Use different organizations for different clients
- Regular access reviews - Remove members who no longer need access
For projects:
- Enable HTTP Basic Auth - Protect PR environments from public access
- Use environment variables - Don't hardcode secrets in configuration
- Review webhook logs - Monitor for unexpected deployment triggers
For the CLI:
- Keep CLI updated - Run
nebioncli updateregularly - Logout on shared machines - Use
nebioncli logoutwhen done - Protect config directory - Ensure
~/.config/nebioncli/has proper permissions