Organizations, Teams & Projects#
Lens Agents uses a multi-tenant hierarchy to organize users, agents, and access: organizations contain teams, teams are granted access to projects.
Hierarchy#
Organization
├── Team A
│ ├── Users (members)
│ ├── Agents (managed + external)
│ ├── Policies
│ └── Project access grants
│ ├── Project Alpha (admin)
│ └── Project Beta (member)
├── Team B
│ ├── Users
│ ├── Agents
│ ├── Policies
│ └── Project access grants
│ └── Project Beta (admin)
└── Projects
├── Project Alpha (K8s cluster, AWS account)
└── Project Beta (GitHub connection)
Organizations#
An organization is the top-level tenant. All data — users, teams, agents, policies, audit trail — is scoped to an organization. There is no cross-organization data access.
- One Slack workspace connection per organization
- SSO (OIDC) configured at the org level
- Spending limits can be set at the org level
Teams#
Teams group users and agents with shared access and policies.
- Users are members of teams
- Agents (managed and external) belong to teams
- Policies are configured per team — all agents in a team share the same policy
- Project access is granted to teams, not individual users or agents
- Spending limits can be set at the team level
Roles#
Teams are granted access to projects with a role:
| Role | Permissions |
|---|---|
| Admin | Full access to the project's connections and resources |
| Member | Scoped access to the project's connections and resources |
Projects#
Projects represent a set of infrastructure connections — Kubernetes clusters, AWS accounts, GitHub connections. Teams are granted access to projects.
Example: A "Production" project might contain: - Production Kubernetes cluster - Production AWS account - Main GitHub repository connection
The "SRE" team gets admin access to the Production project. The "Support" team gets member access. Agents in each team inherit the access.
How It Comes Together#
- Organization admin creates the organization, configures SSO, sets org-level spending limits
- Organization admin creates projects and connects infrastructure (K8s clusters, AWS accounts, GitHub)
- Organization admin creates teams and grants project access to each team
- Team members join teams (via invitation)
- Agents are created within teams — they inherit the team's policies and project access
- Audit trail records everything — scoped to the org, filterable by team, project, and agent
What administrators configure#
- Organization settings — SSO (OIDC), deployment-level options.
- Teams — create teams, manage membership, assign project access.
- Projects — create projects, connect infrastructure (Kubernetes clusters, AWS accounts, GitHub organizations).
- Users — invite users, manage roles.
- Spending limits — configurable at organization and team level.
Data portability#
| Data type | Portable? | How |
|---|---|---|
| Audit trail | Yes | Queryable and exportable via the REST API. Filter by time range, agent, action type. |
| Workspace files | Yes | Editable Markdown files. Copy from the workspace editor or via API. |
| Policies | Yes | Domain rules, credential bindings, and integration controls are configurable and can be recreated. |
| Agent memory | Contact support | Memory database entries can be exported via the API. Contact your account team for bulk export. |
| Conversation history | Contact support | Conversation threads are stored at the platform level. Contact your account team for export. |
| Desktop tool connections | Yes (MCP) | MCP is an open protocol. Desktop tools can connect to any MCP-compatible platform. |
| External agent connections | Yes (MCP) | External agents use standard MCP + Bearer token auth. Reconnect to any platform. |
Related#
- SSO — OIDC configuration
- Agent tokens — external agent authentication
- Policies — access control per team
- Audit trail — what happened, who did it