> ## Documentation Index
> Fetch the complete documentation index at: https://docs.budecosystem.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Your First User Management Setup

> Build a production-ready access model step-by-step

This tutorial helps you define a practical access model for a small team and then scale it with repeatable patterns.

## What You'll Build

* A baseline admin team with constrained manage scopes.
* Client users with project-level access.
* A recurring access review process.

```mermaid theme={null}
flowchart TD
    A[Define Roles] --> B[Create Admin Accounts]
    B --> C[Invite Client Users]
    C --> D[Assign Project Scopes]
    D --> E[Validate Access Paths]
    E --> F[Schedule Access Review]
```

## Step 1: Define Access Personas

Start with 3 personas:

* **Platform Admin**: needs `user:manage`, `project:manage`, `cluster:view`.
* **Developer Admin**: needs `model:manage`, `project:manage`.
* **Client Operator**: needs project-level `view/manage` as required.

## Step 2: Create Admin Accounts

1. Add platform admin users with minimal necessary manage scopes.
2. Keep only one or two `super_admin` users for break-glass operations.
3. Require documented business justification for broad scope grants.

## Step 3: Invite Client Users

1. Add client users for each team or department.
2. Tag users with clear naming and purpose for easier audit reviews.
3. Validate each invite reaches `active` state.

## Step 4: Assign Project Permissions

1. Share projects with collaborators at `view` first.
2. Upgrade to `manage` only where edit/deploy actions are required.
3. Verify inherited access by checking project resources.

## Step 5: Validate with Access Tests

Run a short checklist:

* Can admin users open expected modules?
* Are restricted modules hidden or blocked appropriately?
* Can client users access only assigned projects?
* Are unauthorized actions denied?

## Step 6: Operationalize Reviews

* Review all `manage` grants weekly for fast-moving teams.
* Review all user access monthly.
* Remove stale users and unused elevated permissions.

## Recommended Baseline Matrix

| Persona         | Global Scopes                                      | Project Scope                  |
| --------------- | -------------------------------------------------- | ------------------------------ |
| Platform Admin  | `user:manage`, `project:manage`, `cluster:view`    | Optional                       |
| Developer Admin | `model:manage`, `project:manage`, `benchmark:view` | Optional                       |
| Client Operator | None or minimal global scope                       | `view` or `manage` per project |

## Next Steps

* Configure your review workflow in [Guides](/user-management/guides/onboarding-and-offboarding).
* Use [Reference](/user-management/reference/permissions-reference) to standardize scope usage.
