Howdy.
Just passing by this Friday to share with you that we just deployed a small improvement on organizations members management.
Built with 
on Elixir we’ve added the option to promote/demote members between Admin and Member roles. Feel free to test it out and as usual, we are open to feedback.
See you next time 
Since you’ve asked… 
Having the buttons of the same size with centred text would be neat.
Anyway, that’s just my opinion.
Leave & Remove.
‘Demote to member’ and ‘Promote to admin’.
Nice suggestion. Should be online now
Hey @lubien ,
just found that post while searching what it means to be an Admin or Member. What can members actually do in an organisation? Can they just access all resources like do a fly ssh console?
Howdy!
Currently an organization admin is mostly for dashboard sake. They can change organization settings (like SSO) and manage members. Pretty much everything else is available to everyone.
To scope things down we suggest using tokens. Our dashboard and CLI can issue deploy tokens so folks can only deploy a single app.
I guess you mean organisation admin instead of member? Is there any documentation about it somewhere?
Can an org member access all apps of an organisations, i.e. with fly ssh console?
That’s true! Edited the original message.
That’s correct.
Can I ask about your use case so I can help you with more tips?
Sure.
I would like to give developers an easy way to see Fly dashboard and metrics but without the possibility to sign into machines via SSH or remove them or so.
My ideal would be sth like:
Right now I have the challenge to give DB access to devs when they need it (time based privilege access management). So I was thinking to use Teleport but it seems that’s not possible with Fly at the moment 
This is very valuable feedback. We are not currently planning on doing changes to organizations memberships so unfortunately I don’t think I have solution for all your use cases but I have a couple tips to help with some cases.
$ fly tokens create readonly --help
Create an API token limited to reading a single org and its resources. Tokens are valid for 20 years by default. We
recommend using a shorter expiry if practical.
Usage:
fly tokens create readonly [flags]
Flags:
-x, --expiry duration The duration that the token will be valid (default 175200h0m0s)
--from-existing Use an existing token as the basis for the read-only token
-h, --help help for readonly
-j, --json JSON output
-n, --name string Token name (default "Read-only org token")
Global Flags:
-t, --access-token string Fly API Access Token
--debug Print additional logs and traces
--verbose Verbose output
You can generate readonly tokens for organizations and give one per employee so they can use like this:
$ export FLY_API_TOKEN='token-for-me'
$ fly apps list
All readonly commands should work but commands such as fly ssh console shouldn’t.
Assuming your database is not exposed to the outside world: you can create a Flycast IP to enable other orgs to access your DB and they can use wireguard on their machines to access your-db-app.flycast and you can provide credentials per-person maybe even readonly.
Another approach that doesn’t require flycast and exposing your DB to all orgs is using something like Tailscale (we use it here for our infra at fly.io): Connecting your Fly Apps to your Tailscale tailnet then its all about setting credentials