doc/user/content/security/cloud/users-service-accounts/_index.md
As an administrator of a Materialize organization, you can manage the users and apps (via service accounts) that can access your Materialize organization and resources.
During creation of a user/service account in Materialize, the account is assigned an organization role:
{{% include-headless "/headless/rbac-cloud/organization-roles" %}}
As an Organization admin, you can invite new users via the Materialize Console. When you invite a new user, Materialize will email the user with an invitation link.
{{% include-headless "/headless/rbac-cloud/invite-user-note" %}}
For instructions on inviting users to your Materialize organization, see Invite users.
{{< tip >}}
As a best practice, we recommend you use service accounts to connect external applications and services to Materialize.
{{</ tip >}}
As an Organization admin, you can create a new service account via the Materialize Console or via Terraform.
{{< note >}}
The new account creation is not finished until the first time you connect with the account.
{{% include-headless "/headless/rbac-cloud/service-account-creation" %}}
{{</ note >}}
For instructions on creating a new service account in your Materialize organization, see Create service accounts.
As an Organization admin, you can configure single sign-on (SSO) as an additional layer of account security using your existing SAML- or OpenID Connect-based identity provider. This ensures that all users can securely log in to the Materialize Console using the same authentication scheme and credentials across all systems in your organization.
To configure SSO for your Materialize organization, follow this step-by-step guide.