User management with Tyk Dashboard

Last updated: 4 minutes read.

When you start the Tyk Dashboard the first time, the bootstrap process creates an initial “user” for you with admin permissions, which allows them access to control and configure everything in the Dashboard (via the UI or Tyk Dashboard API).

You can create additional “users” for your colleagues who need to access Dashboard features. These additional users can be assigned granular permissions so that they only have access to the Dashboard pages (and corresponding Dashboard API endpoints) that they require. For each permission (or “role”) you can “deny access”, make it “read only”, or allow “write access”.

For example you might have a colleague who only needs to be able to access the Analytics, or another who only needs to be able to view API configurations, but not to modify them.


The availability of some features described in this section depends on your licence.
For further information, please check our price comparison or consult our sales and expert engineers: Contact us

Managing Tyk Dashboard users

If you are working on a small project or only have a few people who access your Tyk Dashboard it is straightforward to manage these users individually. This functionality is available with all Tyk licences.

Managing groups of Tyk Dashboard users

If, however, you have multiple users who require the same set of permissions and you have the appropriate option in your Tyk licence, you can create a user group to apply and manage user permissions for multiple users from the same place. If you update the permissions of the user group, all the users assigned to it will automatically get those updated permissions. Additionally, if you deactivate the user group, all users in it will be disabled as well. This functionality requires a specific Tyk licence.

Multi-team setup using API Ownership

If you have multiple teams, where each team maintains its own APIs and you want to limit access of the dashboard to the team level, you should use our API ownership feature. For each API, you can assign owners, where an owner can be either an individual user or user group. Only owners have access to these APIs, and objects created based on them like policies or analytics. This functionality requires a specific Tyk licence.

Managing Tyk Dashboard users in multi-org deployments

If you have deployed multiple Tyk Organisations, you may have users that need access to more than one Organisation (known as a “multi-org user”). This functionality requires a specific Tyk licence.

To support multi-org users, you must first enable the feature in your Dashboard configuration by setting either of the following to true:

  • "enable_multi_org_users" in tyk_analytics.conf
  • TYK_DB_ENABLEMULTIORGUSERS environment variable

You then must create users in both Organisations with identical credentials.

During the login flow the user will see an additional page asking them to pick which available Organisation they wish to log into. Once logged in, the user will have an additional drop-down in the top right navigation menu allowing them to switch between Organisations quickly.


A user that does not belong to an Organisation is sometimes referred to as an unbounded user. These users have visibility across all Organisations, but should be granted read-only access.

Single Sign-On integration

You can integrate your existing identity management server with the Tyk Dashboard, as explained in our detailed Single Sign-On (SSO) guide. This functionality is available with all Tyk licences except Tyk Classic Cloud.

By default all users who login via SSO are granted admin permissions. You can change this behaviour by setting either default permissions for users or by creating a default user group to which all new users are assigned. With some IDPs you can automatically assign different SSO users to different user groups by dynamically mapping the IDP’s user groups, for example with Azure AD.

If you want to maintain an individual set of permissions for your SSO users, you must first enable SSO user lookup in your Dashboard configuration by setting either of the following to true:

  • "sso_enable_user_lookup" in tyk_analytics.conf
  • TYK_DB_SSOENABLEUSERLOOKUP environment variable

You must then create a user in the Dashboard with the required permissions and matching email address. During the SSO login flow, if a user with the same email address is found in the existing organisation, their permissions are applied.