This is very valuable feedback. We are not currently planning on doing changes to organizations memberships so unfortunately I don’t think I have solution for all your use cases but I have a couple tips to help with some cases.
Org readonly token
$ fly tokens create readonly --help
Create an API token limited to reading a single org and its resources. Tokens are valid for 20 years by default. We
recommend using a shorter expiry if practical.
Usage:
fly tokens create readonly [flags]
Flags:
-x, --expiry duration The duration that the token will be valid (default 175200h0m0s)
--from-existing Use an existing token as the basis for the read-only token
-h, --help help for readonly
-j, --json JSON output
-n, --name string Token name (default "Read-only org token")
Global Flags:
-t, --access-token string Fly API Access Token
--debug Print additional logs and traces
--verbose Verbose output
You can generate readonly tokens for organizations and give one per employee so they can use like this:
$ export FLY_API_TOKEN='token-for-me'
$ fly apps list
All readonly commands should work but commands such as fly ssh console shouldn’t.
Granular DB access
Assuming your database is not exposed to the outside world: you can create a Flycast IP to enable other orgs to access your DB and they can use wireguard on their machines to access your-db-app.flycast and you can provide credentials per-person maybe even readonly.
Another approach that doesn’t require flycast and exposing your DB to all orgs is using something like Tailscale (we use it here for our infra at fly.io): Connecting your Fly Apps to your Tailscale tailnet then its all about setting credentials