diff --git a/macros/iam/login-member.mdx b/macros/iam/login-member.mdx
new file mode 100644
index 0000000000..1acfc83a5f
--- /dev/null
+++ b/macros/iam/login-member.mdx
@@ -0,0 +1,37 @@
+---
+macro: login-member
+---
+
+If you were added to a Scaleway Organization as an [IAM member](/iam/concepts#members), the login process is different.
+
+
+ Login via [Single Sign-On (SSO)](/account/concepts/#single-sign-on-sso) is currently not available for members.
+
+
+1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
+2. Click the **Log in as an IAM Member**.
+3. Enter the Organization ID and click **Continue**.
+
+ When you are added to an Organization as a member, a Scaleway account is automatically created for you. An Organization administrator must provide a username, email and Organization ID for you to log in.
+
+4. Enter the username given to you by your Organization's Owner or administrator.
+5. Select an authentication method between **Send code** and **Enter password**.
+
+
+ 1. Click **Send code** to receive a login code in your email.
+ 2. Enter the code you received in your email.
+
+ If you did not receive the email you can follow these steps, in order:
+ - Make sure you check your spam folder
+ - Click **Resend email**
+ - Contact an Organization administrator to make sure your information was correctly registered
+ - If none of the actions above work, ask an administrator to [contact the support](/account/how-to/open-a-support-ticket/#writing-an-effective-subject-and-description)
+
+ 3. Click **Continue**.
+
+
+ 1. Click **Enter password**.
+ 2. Type your password in the box.
+ 3. Click **Continue**.
+
+
\ No newline at end of file
diff --git a/menu/navigation.json b/menu/navigation.json
index a107c97853..0839e80bda 100644
--- a/menu/navigation.json
+++ b/menu/navigation.json
@@ -52,10 +52,6 @@
"label": "Configure support plans",
"slug": "configure-support-plans"
},
- {
- "label": "Enforce multifactor authentication",
- "slug": "enforce-mfa"
- },
{
"label": "Use multifactor authentication",
"slug": "use-2fa"
@@ -279,6 +275,10 @@
"label": "Generate an SSH key",
"slug": "create-ssh-key"
},
+ {
+ "label": "Enforce multifactor authentication",
+ "slug": "enforce-mfa"
+ },
{
"label": "Add resources to a Project",
"slug": "add-resources-project"
@@ -336,7 +336,7 @@
{
"items": [
{
- "label": "Invite a user to an Organization",
+ "label": "Invite a Guest to an Organization",
"slug": "invite-user-to-orga"
},
{
@@ -344,16 +344,12 @@
"slug": "accept-invitation-to-orga"
},
{
- "label": "Manage users",
- "slug": "manage-users"
- },
- {
- "label": "Create an application",
- "slug": "create-application"
+ "label": "Log in as a Member",
+ "slug": "log-in-as-a-member"
},
{
- "label": "Manage applications",
- "slug": "manage-applications"
+ "label": "Comply with security requirements as a Member",
+ "slug": "comply-with-sec-requirements-member"
},
{
"label": "Create API keys",
@@ -363,6 +359,26 @@
"label": "Manage API keys",
"slug": "manage-api-keys"
},
+ {
+ "label": "Manage users",
+ "slug": "manage-users"
+ },
+ {
+ "label": "Manage Members",
+ "slug": "manage-members"
+ },
+ {
+ "label": "Enforce security requirements for Members",
+ "slug": "enforce-security-requirements-members"
+ },
+ {
+ "label": "Create an application",
+ "slug": "create-application"
+ },
+ {
+ "label": "Manage applications",
+ "slug": "manage-applications"
+ },
{
"label": "Create a group",
"slug": "create-group"
diff --git a/pages/account/concepts.mdx b/pages/account/concepts.mdx
index 0e09d38b33..f45731445d 100644
--- a/pages/account/concepts.mdx
+++ b/pages/account/concepts.mdx
@@ -50,6 +50,10 @@ Multifactor authentication (MFA) is any form of verification that requires two f
A password is a string of characters associated to your account's email address that allows you to access the [Scaleway console](https://console.scaleway.com/). It is personal and must not be shared with anyone. Alternatively, you can use a [magic link](#magic-link) to authenticate yourself.
+## Single Sign-on (SSO)
+
+Single Sign-On (SSO) allows you to use your Google or Microsoft account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Microsoft account.
+
## Support plan
Scaleway provides four different types of [support plans](https://console.scaleway.com/support/plans): Basic, Silver, Gold and Platinum. Your support plan determines the level of service and dedicated assistance you have access to, and the guaranteed response time of your support requests. You can [configure your support plan in the console](/account/how-to/configure-support-plans/).
diff --git a/pages/account/how-to/log-in-to-the-console.mdx b/pages/account/how-to/log-in-to-the-console.mdx
index 9c1b15e373..6933a95a4e 100644
--- a/pages/account/how-to/log-in-to-the-console.mdx
+++ b/pages/account/how-to/log-in-to-the-console.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Steps to log in to the Scaleway console.
tags: account login password access magic-link magic link SSO
dates:
- validation: 2024-12-05
+ validation: 2024-12-05
posted: 2024-06-11
categories:
- console
@@ -17,7 +17,7 @@ categories:
- A [Scaleway](https://www.scaleway.com/en/) account
-## Log in to the console with a Magic Link
+## How to log in with a Magic Link
Instead of using your password, you can use a **Magic Link** to authenticate yourself when you log into the Scaleway console. This provides quick and secure access to your account without the hassle of remembering your password. When you choose to sign in with Magic Link, you receive a unique link sent directly to your email inbox which you can use one time only to authenticate your login. Afterward, it automatically becomes invalid.
@@ -36,11 +36,29 @@ A confirmation email is sent to your inbox, confirming that you have authenticat
The Magic Link becomes invalid as soon as you have used it. If you log out from the console and want to log in again without your password, you will need to request a new magic link by repeating the steps above.
-## Log in to the console with SSO
+## How to log in with SSO
Scaleway provides Single Sign-On (SSO) options for a seamless login experience. You can use your Google or Microsoft account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Microsoft account.
1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
-2. Click the **Log in with Google** , **Log in with Microsoft**, or **Log in with GitHub** button, depending on the account you want to use.
+2. Click the **Log in with Google**, **Log in with Microsoft**, or **Log in with GitHub** button, depending on the account you want to use.
3. You will be redirected to the respective login page of Google, Microsoft or GitHub.
-4. If multifactor authentication (MFA) is activated, enter the authentication code.
+4. If multifactor authentication (MFA) is activated, enter the authentication code.
+
+## Log in as an IAM member
+
+
+
+## How to log in using MFA
+
+If [Multifactor Authentication (MFA)](/account/how-to/use-2fa) is enabled on your account, MFA authentication will be an additional step for all methods of log in described on this page.
+
+If the login information provided in any of the previous methods is valid, you will be redirected the Multifactor Authentication screen.
+
+1. Enter a valid two-factor token or backup key.
+
+ This is the the token provided in your MFA app.
+
+2. Click **Log in**.
+
+If the code is correct, you are redirected to the Organization dashboard.
diff --git a/pages/account/how-to/use-2fa.mdx b/pages/account/how-to/use-2fa.mdx
index 8e1e55c081..eee70d196d 100644
--- a/pages/account/how-to/use-2fa.mdx
+++ b/pages/account/how-to/use-2fa.mdx
@@ -32,8 +32,10 @@ Download the app of your choice and install it onto your smartphone.
## How to enable MFA
-1. Access the [Security](https://console.scaleway.com/account/security) tab of your **User Account** page.
- Alternatively, click your Organization name on the top-right corner of the console navigation menu, click **Profile**, then **Security**.
+1. Click your Organization name on the top-right corner of the console navigation menu, click **Profile**, then **Security**.
+
+ If you are logged in as an [IAM Member](/iam/concepts/#member), Click **Profile**, then **Credentials** and scroll down to the **Multifactor authentication** section.
+
2. Click **Enable MFA**, in the **Multifactor authentication** section. A pop-up displays.
3. Enter the code shown on the pop-up into your MFA app, or scan the QR code into your app.
Your app sets up MFA for your Scaleway account and displays a 6-digit code.
@@ -69,7 +71,7 @@ If you no longer have access to the device in which you set up your MFA, you can
## How to disable MFA
- You cannot disable MFA if you are a member of one or more Organizations where MFA is enforced. If you wish to disable MFA, you must first leave these Organizations. If you do not know which of your Organizations enforce MFA, follow the procedure below until step 2. The Organizations will be listed in the **Disable MFA** pop-up.
+ You cannot disable MFA if you are a Member of one or more Organizations where MFA is enforced. If you wish to disable MFA, you must first leave these Organizations. If you do not know which of your Organizations enforce MFA, follow the procedure below until step 2. The Organizations will be listed in the **Disable MFA** pop-up.
1. Access the [Security](https://console.scaleway.com/account/security) tab of your **User Account** page.
diff --git a/pages/iam/concepts.mdx b/pages/iam/concepts.mdx
index 9d20fc51cb..0400f283f4 100644
--- a/pages/iam/concepts.mdx
+++ b/pages/iam/concepts.mdx
@@ -40,6 +40,10 @@ The Common Expression Language (CEL) is used to define expressions in [condition
A condition is an additional layer of restrictions for your rule. You can allow access to specific user agents or IP addresses, and allow actions to be performed only at certain dates and times. Conditions are defined through [CEL](#common-expression-language-cel) expressions, and can be set up and configured in the Scaleway console. Refer to the [Understanding policy conditions](/iam/reference-content/understanding-policy-conditions) documentation page to learn how they are set up and how you can define them.
+## Grace period
+
+The grace period is the time an [IAM Member](#members) has to comply with the security requirements that are enforced in your Organization before their account is automatically locked. The accounts can be manually unlocked by an Owner or IAM Manager. Upon regaining access, the grace period resets, giving IAM Members another chance to meet security requirements.
+
## Group
A group (also known as an IAM group) is a grouping of [users](#user) and/or [applications](#application). Creating groups allows you to attach [policies](#policy) to multiple users and/or applications at the same time.
@@ -62,6 +66,12 @@ Similarly, you may participate as a Guest in someone else's Organization, where
You can also create non-human users in your Organization, called [IAM applications](#application), in order to give applications programmatic access to your Scaleway resources.
+## Member
+
+You are a Member when you are added to an Organization by an Owner or user with IAM Manager permissions. Members exist only within the specific Organizations in which they are created. This is one of the methods employed at Scaleway to allow Organizations to have multi-users. Members fufill the same purpose as Guest, while ensuring the security of the Organization.
+
+As a Member you are subject to [complying with the security requirements](/iam/how-to/comply-with-sec-requirements-member) in effect in your Organization.
+
## Organization
An Organization is made of one or several [Projects](#project). When you create your Scaleway account, an Organization is automatically created, of which you are the Owner. When you create [IAM rules](#rule), you can set their scope at Organization level.
@@ -79,8 +89,6 @@ The Organization ID identifies the [Organization](#organization) created with yo
You are the [Owner](#owner) of the Organization that is created with your Scaleway account. Owners have full rights and access to all resources and features in their Organization. See also [Guest](#guest).
-
-
## Permission
A permission is a granular right, which is checked to determine whether to give access to an API endpoint. Permissions are grouped into [permission sets](#permission-set) to facilitate access management within [policies](#policy).
@@ -158,7 +166,7 @@ Keep in mind that:
A user (also known as an IAM user) is a human user in an Organization. They can be of two types:
- **Owner**: You are the Owner of the [Organization](#organization) that was created with your account.
- **Guest**: You are a Guest when invited to another Organization of which you are not the Owner. Similarly, you can invite other users to be Guests in your Organization.
+- **Member**: You are a Member when you are added to an Organization by an Owner or user with IAM Manager permissions. Members exist only within the specific Organizations in which they are created.
Within each Organization, different IAM users can have different rights (defined through [policies](#policy)) to perform actions on resources.
-
diff --git a/pages/iam/how-to/accept-invitation-to-orga.mdx b/pages/iam/how-to/accept-invitation-to-orga.mdx
index 87005ce933..b4522d8768 100644
--- a/pages/iam/how-to/accept-invitation-to-orga.mdx
+++ b/pages/iam/how-to/accept-invitation-to-orga.mdx
@@ -10,7 +10,7 @@ dates:
posted: 2022-06-20
---
-When you [create a Scaleway account](/account/how-to/create-an-account/), an Organization is automatically created, of which you are the [Owner](/iam/concepts/#owner). If you are invited to someone else's Organization, you will simultaneously be the Owner of your own Organization and a guest in the other Organization, where you will have the rights and permissions granted to you via [policies](/iam/concepts/#policy).
+When you [create a Scaleway account](/account/how-to/create-an-account/), an Organization is automatically created, of which you are the [Owner](/iam/concepts/#owner). If you are invited to someone else's Organization, you will simultaneously be the Owner of your own Organization and a Guest in the other Organization, where you will have the rights and permissions granted to you via [policies](/iam/concepts/#policy).
@@ -22,7 +22,9 @@ When you [create a Scaleway account](/account/how-to/create-an-account/), an Org
When someone invites you to join their Organization, you receive an email to inform you.
- If the Organization you were invited to [enforces MFA](/account/how-to/enforce-mfa/), make sure you have [activated MFA](/account/how-to/use-2fa/) before accepting the invitation.
+ Keep in mind that:
+ - The procedure described on this page applies only to [IAM Guests](/iam/concepts/#guest)
+ - If the Organization you were invited to [enforces MFA](/organizations-and-projects/how-to/enforce-mfa/), make sure you have [activated MFA](/account/how-to/use-2fa/) before accepting the invitation.
## If you already have a Scaleway account
diff --git a/pages/iam/how-to/assets/scaleway-guest-or-member.webp b/pages/iam/how-to/assets/scaleway-guest-or-member.webp
new file mode 100644
index 0000000000..2674a0adc5
Binary files /dev/null and b/pages/iam/how-to/assets/scaleway-guest-or-member.webp differ
diff --git a/pages/iam/how-to/assets/scaleway-iam-member-sec-req.webp b/pages/iam/how-to/assets/scaleway-iam-member-sec-req.webp
new file mode 100644
index 0000000000..8d9f21db97
Binary files /dev/null and b/pages/iam/how-to/assets/scaleway-iam-member-sec-req.webp differ
diff --git a/pages/iam/how-to/comply-with-sec-requirements-member.mdx b/pages/iam/how-to/comply-with-sec-requirements-member.mdx
new file mode 100644
index 0000000000..b2845bfce6
--- /dev/null
+++ b/pages/iam/how-to/comply-with-sec-requirements-member.mdx
@@ -0,0 +1,65 @@
+---
+title: How to comply with security requirements as a Member
+description: Instructions for complying with security requirements as an IAM Member
+content:
+ h1: How to comply with security requirements as a Member
+ paragraph: Instructions for complying with security requirements as an IAM Member
+dates:
+ validation: 2025-03-24
+ posted: 2025-03-24
+---
+
+Upon your [first login as a Member](/iam/how-to/log-in-as-a-member), you must comply with your Organization's security requirements to ensure you can log in without issues in the future.
+
+
+
+- A Scaleway account and logged into the [console](https://console.scaleway.com) as an [IAM Member](/iam/concepts/#member)
+
+## How to check the security requirements
+
+Organization administrators may require you to perform two different security actions:
+
+- [Updating your password](#how-to-update-a-password)
+- [Setting up MFA](#how-to-set-up-mfa-as-a-member)
+
+If one of these requirements is enforced in your Organization, a security checklist will display in your Scaleway console when you log in for the first time,
+
+
+
+
+The security requirements checklist is only visible to new Members who have not complied with their Organization's security requirements.
+
+
+### Grace period
+
+New IAM Members have a [grace period](/iam/concepts/#grace-period) available to comply with security requirements. The grace period is defined by the Organization's administrator or is set to default (3 days).
+
+
+Once the grace period is over, your Member account is automatically locked. This means you will no longer be able to log into the console and access your resources. You must personally contact an Organization administrator to unlock you. When you regain access to the Organization, the grace period resets and you have the set amount of time to comply with the requirements again.
+
+
+For example, if your Organization's grace period is set to default, you have 3 days, starting from your first login, to renew your password or define a new one, and to set up MFA. If you logged in for the first time on Monday 3:22 p.m., you have until Thursday at 3:22 p.m. to comply with security requirements. If you fail to comply, you will get locked out of the Organization starting from Thursday at approximately 3:23p.m.
+
+## How to update a password
+
+Passwords are not required for a first Member login.
+
+However, if password renewal is enforced in your Organization, you must update your password after your first login.
+
+
+Your Organization's administrator may provide you with a password for your first login. If password renewal is enforced in your Organization, you still need to update your password.
+
+
+1. Click **Update password** in your security requirements **Checklist** in the Scaleway console. A pop-up appears.
+2. Define a new password in the box.
+3. (Optional) Check the box if you want to send the password to your email.
+
+ Make sure you copy and securely store the password, as it will only be shown once. If you lose access to your password, you must renew it again. Refer to the [How to manage members](/iam/how-to/manage-members#how-to-edit-a-members-information) documentation to learn how to renew your password after first renewal.
+
+
+If all security requirements are met, you will be redirected to the Organization dashboard. If not, follow the steps of the [next section](#how-to-set-up-mfa-as-a-member) to complete the checklist.
+
+## How to set up MFA as a Member
+
+1. Click **Enable MFA** in your security requirements **Checklist** in the Scaleway console. A pop-up appears.
+2. Follow the steps as indicated in the [How to use MFA](/account/how-to/use-2fa) documentation page.
diff --git a/pages/iam/how-to/create-api-keys.mdx b/pages/iam/how-to/create-api-keys.mdx
index 9ff4d8c9e0..8f3389b869 100644
--- a/pages/iam/how-to/create-api-keys.mdx
+++ b/pages/iam/how-to/create-api-keys.mdx
@@ -59,4 +59,3 @@ API keys always inherit the permissions of their bearer (the IAM user or IAM app
9. Ensure you have securely saved the secret key, then close the window. You are returned to the **API keys** tab, where your new API key now appears in the list.
-
diff --git a/pages/iam/how-to/enforce-security-requirements-members.mdx b/pages/iam/how-to/enforce-security-requirements-members.mdx
new file mode 100644
index 0000000000..6049f33bc7
--- /dev/null
+++ b/pages/iam/how-to/enforce-security-requirements-members.mdx
@@ -0,0 +1,81 @@
+---
+meta:
+ title: How to enforce security requirements for IAM members in your Organization
+ description: This page shows you how to edit the grace period IAM members have to comply with security requirements and enforce password renewal.
+content:
+ h1: How to enforce security requirements for IAM members
+ paragraph: This page shows you how to edit the grace period IAM members have to comply with security requirements and enforce password renewal.
+dates:
+ validation: 2025-02-11
+ posted: 2025-02-11
+categories:
+ - console
+---
+
+For the increased security of your Organization, you can enforce different security measures for your IAM members.
+
+
+ The security measures listed on this page, except enforcing MFA, apply only to [IAM members](/iam/concepts#members).
+
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## How to disable a member's MFA
+
+If [Multifactor Authentication (MFA) is enabled](/account/how-to/use-2fa) for a member you can disable it anytime. Disabling MFA is useful if the member loses access to their authentication app and needs to reset MFA.
+
+1. Click **Identity and Access Management (IAM)** on the top-right corner of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
+2. Click the name of the member you want to delete. Alternatively, click next to the member, and select **Overview**. Either way, you are taken to the user's **Overview** tab.
+3. Click the **Credentials** tab.
+4. Scroll to the **Disable multifactor authentication** section.
+5. Click **Disable MFA**. A pop-up appears.
+
+ Keep in mind that disabling MFA means a member will no longer be required to sign in with MFA. If [MFA is enforced](/organizations-and-projects/how-to/enforce-mfa) at the Organization level, the member will have a grace period allowing them to enable it again.
+
+6. Type **DISABLE** in the box and click **Confirm**.
+
+## How to enforce MFA for a member
+
+You can enforce MFA for all users in your Organization, including members.
+
+
+ Refer to the [How to enforce MFA](/organizations-and-projects/how-to/enforce-mfa) documentation page for more information.
+
+
+
+## How to enforce password renewal
+
+1. Click the **Security** tab of the [Organization Dashboard](https://console.scaleway.com/organization).
+2. Scroll to the **Password renewal** section.
+3. Click **Enforce renewal**. A pop-up displays.
+
+ Enforcing password renewal means that all members with a password in the Organization will be requested to reset it upon their first login.
+
+4. Type **ENFORCE** in the box and click **Confirm**.
+
+## How to stop enforcing password renewal
+
+1. Click the **Security** tab of the [Organization Dashboard](https://console.scaleway.com/organization).
+2. Scroll to the **Password renewal** section.
+3. Click **Stop enforcing renewal**. A pop-up displays.
+4. Type **STOP** in the box and click **Confirm**.
+
+## How to edit the grace period of your Organization
+
+From their first login, Members have a default grace period of 3 days to comply with security requirements before their access to the Organization is automatically locked. You can extend or reduce the grace period in the console.
+
+
+ Locked Members cannot connect to the Organization until they are [manually unlocked](/iam/how-to/manage-members#how-to-unlock-a-member). Upon regaining access, the grace period resets, giving them another chance to meet security requirements.
+
+
+1. Click the **Security** tab of the [Organization Dashboard](https://console.scaleway.com/organization).
+2. Scroll to the **Grace period** section.
+3. Click **Define grace period**. A pop-up displays.
+4. Define the grace period in hours or days.
+5. Click **Define grace period** to confirm.
+
+
+
diff --git a/pages/iam/how-to/invite-user-to-orga.mdx b/pages/iam/how-to/invite-user-to-orga.mdx
index f2dd2eab49..1cfd8c9dbf 100644
--- a/pages/iam/how-to/invite-user-to-orga.mdx
+++ b/pages/iam/how-to/invite-user-to-orga.mdx
@@ -1,22 +1,24 @@
---
meta:
- title: How to invite another user to an Organization
+ title: How to invite a Guest to an Organization
description: Learn how to invite users to your Scaleway Organization
content:
- h1: How to invite another user to an Organization
+ h1: How to invite a Guest to an Organization
paragraph: Learn how to invite users to your Scaleway Organization
dates:
validation: 2025-01-06
posted: 2022-06-20
---
-When you [create a Scaleway account](/account/how-to/create-an-account/), you are the [Owner](/iam/concepts/#owner) of your Organization. You can invite other people to join your Organization: they will create their own Scaleway account (if they do not already have one) and then become [IAM users](/iam/concepts/#user) of your Organization.
+When you [create a Scaleway account](/account/how-to/create-an-account/), you are the [Owner](/iam/concepts/#owner) of your Organization. Two types of users can be added to your Organizaton: [Members](/iam/concepts#members) and [Guests](/iam/concepts#guests).
-
+When you invite someone as a Guest they will create their own Scaleway account, if they do not already have one.
-You can define the rights and permissions you want guests to have in your Organization via [policies](/iam/concepts/#policy).
+You can define the rights and permissions you want Guests to have in your Organization via [policies](/iam/concepts/#policy).
-You can invite people to be IAM users of an Organization in which you are not the Owner, if you have sufficient permissions (via policies) to do so. See our documentation on [permission sets](/iam/reference-content/permission-sets/) for more information.
+
+
+In the next steps we show you how to invite a Guest.
@@ -25,10 +27,11 @@ You can invite people to be IAM users of an Organization in which you are not th
1. Click **Identity and Access Management (IAM)** from the top-right of your [**Organization Dashboard**](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
-2. Click **+ Add user**. The following screen displays:
-
-3. Enter the email address of the person you want to invite. If you want to invite more than one user, enter multiple email addresses separated by commas. Optionally, you can also select a [group](/iam/concepts/#group) to add the user to.
-4. Optionally, add one or more tags.
+2. Click **+ Add user**. A pop-up displays prompting you to choose between creating a **Member** or adding a **Guest**.
+
+3. Select **Guest** and click **Continue**.
+4. Enter the email address of the person you want to invite. If you want to invite more than one user, enter multiple email addresses separated by commas. Optionally, you can also select a [group](/iam/concepts/#group) to add the user to.
+5. Optionally, add one or more tags.
Tags are key/value pairs that help you organize your users. Keep in mind that:
@@ -36,9 +39,9 @@ You can invite people to be IAM users of an Organization in which you are not th
- Tag values must be between 1 and 70 characters long, including `key` and `value`
- The same tag cannot be used twice
-5. Click **Invite** to send the invitation.
+6. Click **Invite** to send the invitation.
The user receives an email inviting them to accept your invitation. If they do not already have a Scaleway account, they will be prompted to [create one](/account/how-to/create-an-account/) first.
-6. The user will appear in the list of your Organization's users once they have accepted the invitation.
+7. The user will appear in the list of your Organization's users once they have accepted the invitation.
Invitations have a validity period of 7 days.
diff --git a/pages/iam/how-to/log-in-as-a-member.mdx b/pages/iam/how-to/log-in-as-a-member.mdx
new file mode 100644
index 0000000000..3a53aacda0
--- /dev/null
+++ b/pages/iam/how-to/log-in-as-a-member.mdx
@@ -0,0 +1,25 @@
+---
+meta:
+ title: How to log into the Scaleway console for the first time as an IAM Member
+ description: Instructions for logging into the Scaleway console for the first time as an IAM Member
+content:
+ h1: How to log into the Scaleway console for the first time as an IAM Member
+ paragraph: Instructions for logging into the Scaleway console for the first time as an IAM Member
+dates:
+ validation: 2025-06-02
+ posted: 2025-06-02
+---
+
+When you are added to a Scaleway Organization, you become a Member of said Organization. To access the Organization, you must perform a first login and comply with your Organization's security requirements.
+
+
+
+
+
+Once you have successfully logged in for the first time, you must then comply with your Organization's security requirements to ensure you can log in without issues in the future. Refer to the [How to comply with security requirements as a Member](/iam/how-to/comply-with-sec-requirements-member) documentation page to follow the procedure.
+
+
+
+
+
+
diff --git a/pages/iam/how-to/manage-members.mdx b/pages/iam/how-to/manage-members.mdx
new file mode 100644
index 0000000000..f8bcb0ee6a
--- /dev/null
+++ b/pages/iam/how-to/manage-members.mdx
@@ -0,0 +1,125 @@
+---
+meta:
+ title: How to manage IAM Members
+ description: Instructions for managing Members in Scaleway IAM.
+content:
+ h1: How to manage IAM Members
+ paragraph: Instructions for managing Members in Scaleway IAM.
+dates:
+ validation: 2025-06-02
+ posted: 2025-06-02
+---
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## How to create a Member
+
+1. Click **Identity and Access Management (IAM)** from the top-right of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
+2. Click **+ Create Member**. A pop-up displays.
+3. Enter a username and the email address of the Member you want to add to your Organization.
+
+ When you create a Member, a Scaleway account is created for them. They exist only within your Organization. If you delete the Member, their account is also deleted.
+
+4. (Optional) Check the box if you want to send a welcome email to the Member.
+5. Add a password.
+
+ This step is optional. If you set a password, make sure you keep note of it to share it with the Member later. The password will only be shown once. If password renewal is enforced in the Organization, from their first login, the Member has up to 3 days to update their password and comply with this security requirement.
+
+6. (Optional) Check the box if you want to send the password to the Member via email.
+7. Click **Create Member**.
+
+If you did not send an welcome email to the Member, make sure you give them their login information.
+
+## How to lock a Member
+
+As an Owner or user with IAM Manager permissions, you can lock a Member anytime.
+
+
+ Locking is an action that only applies to IAM Members. Keep in mind that:
+ - Once a Member is locked, they cannot log into the Organization, but are not removed from it.
+ - Any API keys attached to a Member lose their permissions when the Member is locked.
+
+
+1. Click **Identity and Access Management (IAM)** on the top-right corner of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
+2. Click the name of the Member you want to lock. Alternatively, click next to the Member, and select **Overview**. Either way, you are taken to the user's **Overview** tab.
+3. Scroll to the **Lock Member** section.
+4. Click **Lock Member**. A pop-up appears.
+5. Type **LOCK** in the box and click **Confirm**.
+
+The Member is locked, their name is displayed in red, and their status is marked as `Locked` in the IAM users list.
+
+
+## How to unlock a Member
+
+If a Member is locked you can unlock them anytime as an Owner or user with IAM Manager permissions. Their name is displayed in red and their status is marked as `Locked` in the IAM users list.
+
+
+ If a Member fails to [comply with security requirements](/iam/how-to/log-in-as-a-member#how-to-comply-with-security-requirements) by the end of the [grace period](/iam/concepts#grace-period), they are automatically locked and are not able to connect to the Organization until they are manually unlocked.
+
+
+1. Click **Identity and Access Management (IAM)** on the top-right corner of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
+2. Click the name of the Member you want to unlock. Alternatively, click next to the Member, and select **Overview**. Either way, you are taken to the user's **Overview** tab.
+3. Scroll to the **Unlock Member** section.
+4. Click **Unlock Member**. A pop-up appears.
+
+ Be aware that the Member will regain access to the Organization.
+
+5. Type **UNLOCK** in the box and click **Confirm**.
+
+The Member is unlocked.
+
+## How to edit a Member's information
+
+You can edit a Member's username, email address, and password.
+
+
+ Follow the procedure below to edit your own Member information.
+
+
+1. Click **Identity and Access Management (IAM)** on the top-right corner of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
+2. Click the name of the Member you want to edit. Alternatively, click next to the Member, and select **Overview**. Either way, you are taken to the user's **Overview** tab.
+3. Click the **Credentials** tab.
+4. Click **Edit** next to the information you want to update in the **Sign in credentials** section. For each credential a different pop-up appears.
+5. Enter the new information in the box.
+
+ Passwords are optional. When you create or update a password for a Member, you can opt to send the password to the Member via email. Once a new password is created, it is not stored or shown in the Scaleway console. Copy and safely store them before leaving the **Edit password** pop-up.
+
+6. Click **Confirm**.
+
+The updated information appears in the credentials tab.
+
+## How to enforce security requirements for a Member
+
+For the increased security of your Organization, you can enforce different security measures for your IAM Members.
+
+Refer to the dedicated [How to enforce security for Members](/iam/how-to/enforce-security-requirements-members/) documentation page to find out:
+
+- [How to disable a Member's MFA](/iam/how-to/enforce-security-requirements-members/#how-to-disable-a-members-mfa)
+- [How to enforce password renewal](/iam/how-to/enforce-security-requirements-members/#how-to-enforce-password-renewal)
+- [How to stop enforcing password renewal](/iam/how-to/enforce-security-requirements-members/#how-to-stop-enforcing-password-renewal)
+- [How to edit the grace period of your Organization](/iam/how-to/enforce-security-requirements-members/#how-to-edit-the-grace-period-of-your-organization)
+
+
+## How to delete a Member
+
+
+ A Member can delete their own account. The procedure is the same as described below. When a Member deletes themselves, they are automatically disconnected from the Scaleway console.
+
+
+1. Click **Identity and Access Management (IAM)** on the top-right corner of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
+2. Click the name of the Member you want to delete. Alternatively, click next to the Member, and select **Overview**. Either way, you are taken to the user's **Overview** tab.
+3. Scroll to the **Delete Member** section.
+4. Click **Delete Member**. A pop-up appears.
+
+ Keep in mind that when you delete a Member:
+ - All of their API keys will be deleted
+ - Their username will become available for other Members to use
+ - All logs of their actions will be kept
+
+5. Type **DELETE** in the box and click **Confirm**.
+
+The Member is deleted. If you wish to check the Member's previous logs from this point on, keep in mind that they will appear as "Deleted user" in the IAM logs. The user ID remains visible.
+
diff --git a/pages/iam/how-to/manage-users.mdx b/pages/iam/how-to/manage-users.mdx
index 871079d1dd..cff17b4415 100644
--- a/pages/iam/how-to/manage-users.mdx
+++ b/pages/iam/how-to/manage-users.mdx
@@ -17,6 +17,10 @@ You can manage IAM users of an Organization if you are the [Owner](/iam/concepts
- A Scaleway account logged into the [console](https://console.scaleway.com)
- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+ The procedures described below, except [How to remove a user from the Organization](#how-to-remove-a-user-from-the-organization), apply to all types of IAM users: Owners, Guests and Members. [IAM Members](/iam/concepts#members), however, have extra features that apply only to them. Refer to the [How to manage members](/iam/how-to/manage-members) documentation page to find the procedures specific to members.
+
+
## How to access the user overview
1. Click **Identity and Access Management (IAM)** from the top-right of your [Organization Dashboard](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
@@ -26,7 +30,7 @@ You can manage IAM users of an Organization if you are the [Owner](/iam/concepts
## How to view user information
-From the user's [Overview tab](#how-to-access-the-user-overview), you can view information including the user's **status**, **type** (Guest or Owner), **joined on** date and whether they have [MFA](/account/concepts/#multifactor-authentication-mfa) enabled in the **User Information** panel at the top of the page.
+From the user's [Overview tab](#how-to-access-the-user-overview), you can view information including the user's **status**, **type** (Owner, Guest or Member), **joined on** date and whether they have [MFA](/account/concepts/#multifactor-authentication-mfa) enabled in the **User Information** panel at the top of the page.
On this page you can also find an extensive list of the user's permission sets, the name of their associated policies and the scope they apply to.
@@ -111,4 +115,3 @@ A user may be attached to multiple policies.
3. Type **REMOVE** to confirm, and click **Remove user** to validate.
-
diff --git a/pages/iam/quickstart.mdx b/pages/iam/quickstart.mdx
index df9ef44387..ecb4074d21 100644
--- a/pages/iam/quickstart.mdx
+++ b/pages/iam/quickstart.mdx
@@ -26,13 +26,12 @@ Read our dedicated page for a [general overview of IAM](/iam/reference-content/o
Invite other users to be able to give them access to your Organization. You will be able to define the exact level of access to give by creating a [policy](#how-to-give-permissions-to-users-and-applications-via-policies) for them later.
1. Click **Identity and Access Management (IAM)** from the top-right of your [**Organization Dashboard**](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
-
-2. Click **+ Add user**. The following screen displays:
-
-3. Enter the email address of the person you want to invite. If you want to invite more than one user, enter multiple email addresses separated by commas. Optionally, you can also select a [group](/iam/concepts/#group) to add the user to.
-4. Click **Invite** to send the invitation.
+2. Click **+ Add user**. A pop-up displays prompting you to choose between creating a **Member** or adding a **Guest**.
+3. Select **Guest** and click **Continue**.
+4. Enter the email address of the person you want to invite. If you want to invite more than one user, enter multiple email addresses separated by commas. Optionally, you can also select a [group](/iam/concepts/#group) to add the user to and add one or more tags.
+5. Click **Invite** to send the invitation.
The user receives an email inviting them to accept your invitation. If they do not already have a Scaleway account, they will be prompted to [create one](/account/how-to/create-an-account/) first.
-5. The user will appear in the list of your Organization's users once they have accepted the invitation.
+6. The user will appear in the list of your Organization's users once they have accepted the invitation.
## How to create an application
@@ -40,9 +39,7 @@ IAM applications are non-human users in an Organization, enabling you to give pr
1. Click **Identity and Access Management (IAM)** from the top-right of your [**Organization Dashboard**](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
2. Click the **Applications** tab. A list of the Organization's existing IAM applications displays.
-
3. Click **Create application**. The creation wizard displays:
-
4. Complete the steps of the creation wizard:
- Enter a name for the application, or use the auto-generated name suggested for you,
- Enter a description (optional),
@@ -54,12 +51,10 @@ IAM applications are non-human users in an Organization, enabling you to give pr
## How to give permissions to users and applications via policies
-Users you have invited to your Organization, and applications you have created, have no rights or permissions until you attach [policies](/iam/reference-content/policy/) to them, as described below.
+Users you have added to your Organization, and applications you have created, have no rights or permissions until you attach [policies](/iam/reference-content/policy/) to them, as described below.
1. Click **Identity and Access Management (IAM)** from the top-right of your [**Organization Dashboard**](https://console.scaleway.com/organization) in the Scaleway console. The **Users** tab of the [Identity and Access Management dashboard](https://console.scaleway.com/iam/users) displays.
-2. Click the **Policies** tab. A list of the Organization's existing policies displays:
-
-3. Click **Create policy**. The creation wizard displays:
-
+2. Click the **Policies** tab. A list of the Organization's existing policies displays.
+3. Click **Create policy**. The creation wizard displays.
4. Complete the steps on the first page of the creation wizard:
- Enter a **name** for the policy,
- Enter a **description** (optional),
@@ -68,7 +63,6 @@ Users you have invited to your Organization, and applications you have created,
You can choose to create a policy without a principal for now, and attach the principal later. Be aware that the policy will have no effect until a principal is attached. A policy can only be attached to one principal at a time.
5. Click **Add rules** to progress to the next part of the policy creation wizard.
-
Rules define the actions that the attached principal will be able to carry out within the Organization. When creating a rule, you first set the **scope** of the rule, and then select the **permission sets** to apply within the scope. See our dedicated documentation for more help with [policies, rules, scopes and permission sets](/iam/reference-content/policy/).
diff --git a/pages/iam/reference-content/overview.mdx b/pages/iam/reference-content/overview.mdx
index 21e484ff63..7530e6a4c4 100644
--- a/pages/iam/reference-content/overview.mdx
+++ b/pages/iam/reference-content/overview.mdx
@@ -36,7 +36,9 @@ Once you set up your account, you can start creating resources such as Instances
If you want to give someone else permission to view, edit, create or manage resources (or features such as billing or support tickets) in your Organization, IAM makes this possible:
1. [Invite the user](/iam/how-to/invite-user-to-orga/) to your Organization. They create their own Scaleway account, if they do not already have one, and can then accept your invitation. They will appear in your Organization as a Guest.
-
+
+ Alternatively, you can [create a new IAM member](/iam/how-to/manage-members/#how-to-create-a-member). You can provide them the credentials necessary to [log in as a member](/iam/how-to/log-in-as-a-member) in your Organization.
+
2. Give the user permissions via [policies](/iam/concepts/#policy). Create a policy to define what permissions and access rights you want the user to have in your Organization.
diff --git a/pages/iam/reference-content/users-groups-and-applications.mdx b/pages/iam/reference-content/users-groups-and-applications.mdx
index 3b4e40b8b5..15d625e7bc 100644
--- a/pages/iam/reference-content/users-groups-and-applications.mdx
+++ b/pages/iam/reference-content/users-groups-and-applications.mdx
@@ -21,8 +21,7 @@ They can be of two types:
- **Owner** - you are the Owner of the Organization that was created with your account.
- **Guest** - you are a Guest when invited to an Organization of which you are not the Owner. Similarly, you can invite other users to be Guests in your Organization.
-
-
+- **Member** - you are a member when you are added to an Organization by an Owner or user with IAM Manager permissions. Members exist only within the specific Organizations in which they are added. As a member you are subject to [complying with the security requirements](/iam/how-to/how-to-comply-with-sec-requirements-member) in effect in your Organization.
Within each Organization, different IAM users can have different rights (defined through policies) to perform actions on resources.
diff --git a/pages/account/how-to/enforce-mfa.mdx b/pages/organizations-and-projects/how-to/enforce-mfa.mdx
similarity index 100%
rename from pages/account/how-to/enforce-mfa.mdx
rename to pages/organizations-and-projects/how-to/enforce-mfa.mdx
diff --git a/pages/organizations-and-projects/how-to/manage-quotas.mdx b/pages/organizations-and-projects/how-to/manage-quotas.mdx
index 9d87bb88e3..93fdedf67b 100644
--- a/pages/organizations-and-projects/how-to/manage-quotas.mdx
+++ b/pages/organizations-and-projects/how-to/manage-quotas.mdx
@@ -20,8 +20,8 @@ categories:
## How to view Organization quotas
-1. Click the **Quotas** tab from the [Organization Dashboard](https://console.scaleway.com/organization). A list of all quotas displays.
-2. Click the name of the resource you want to view the quotas for.
+1. Click the **Quotas** tab of the [Organization Dashboard](https://console.scaleway.com/organization). A list of all quotas displays.
+2. Click the name of the product you want to view the quotas for.
3. Click > **More info** next to the name of your resource of choice. A pop-up appears.
In the pop-up you can find more information about the quota, such as **Name**, **Technical name**, **Product**, **Max quota per Availability Zone**, **Current usage**, and **Description**.