Teams
How team seats, shared accounts, and access controls work.
Team plans
On Team and Enterprise plans, every team member shares the same connected cloud accounts and the same library of past Canvases. You don't have to reconnect AWS for every engineer who joins.
| Capability | Details |
|---|---|
| Shared cloud connections | One person connects, the whole team uses |
| Shared Canvas library | Every team member sees Canvases generated by anyone |
| Per-user identity | Sign in with your own email — Escher tracks who asked what |
| Role-based access | Admin, Member, Read-only |
| Audit log | Every Canvas, every action, attributable to a user |
Roles
| Role | Can do |
|---|---|
| Admin | Connect/disconnect cloud accounts, manage members, manage integrations, approve actions |
| Member | Ask questions, generate Canvases, approve actions on resources they own |
| Read-only | Browse Canvases generated by others, ask questions, but cannot approve actions |
How adding a teammate works
- As an admin, go to Settings → Team → Invite Member
- Enter their email and pick a role
- They receive an invite email
- They install Escher and sign in with the invited email
- They immediately see all the team's connected accounts and past Canvases
TIP
Use the read-only role for execs and auditors. They can browse evidence and pull reports without being able to modify cloud resources.
SSO
SAML SSO is on the roadmap for enterprise plans. The list of supported IdPs and the timeline are decided per agreement — confirm with your Tessell contact.