Roles
Users in an Org are associated with at least one role. The platform provides several roles that can be used to control what users can do in the platform.
Types of Roles¶
| Role | Role Binding | Description |
|---|---|---|
| Organization Admin | ClusterRoleBinding | A privileged, super user type role with access to everything in the Org. This user can view, manage all workload and infrastructure resources across all projects. Specifically, they have Read + Write access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons, and blueprints |
| Org Admin Read Only | ClusterRoleBinding | A privileged role has only Read access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons, and blueprints |
| Project Admin | ClusterRoleBinding | A privileged role allowed to manage all workload resources in a Project. Specifically, they have Read + Write access to workloads, certificates, registries, secret stores, and aggregation endpoints |
| Project Read Only | ClusterRoleBinding | A Read Only version of the Project Admin role |
| Cluster Admin | ClusterRoleBinding | A privileged role allowed to build clusters in a Project. Specifically, Cluster Admins has read only infrastructure access + Cluster CRUD (Create, Read, Update, and Delete) operations |
| Cluster Template User | ClusterRoleBinding | A privileged role allowed to provision, view and manage cluster resources only using the template(s) |
| Workspace Admin | RoleBinding | A role allowed to manage all workload resources in a Project. Specifically, they have Read + Write access to workloads, certificates, registries, secret stores, and aggregation endpoints |
| Namespace Admin | RoleBinding | A role allowed to view only the user specified namespaces, and policy violations, but not allowed to create a new namespace. Allowed to perform end-to-end (create, publish/unpublish, edit, delete) actions on workloads with the user selected namespace(s). Specifically, they can view only the Resources that are associated with the selected namespace(s) |
| Namespace Read Only | RoleBinding | A Read Only version of the Namespace Admin role |
| Infrastructure Admin | ClusterRoleBinding | An infrastructure focused role who has Read and Write access to Clusters, Namespaces, Blueprints, Add-ons, and Cloud Credentials |
| Infrastructure Read Only | ClusterRoleBinding | A Read Only version of the Infrastructure Admin role |
Important
We strongly recommend that customers have at least two active Organization Admins per Org
The image below shows the hierarchy of roles in a typical Org.
Multiple Roles¶
Users can be associated with multiple roles at the same time. In such scenarios, the union of the permissions associated with both roles is applied.
Determine Role as End User¶
Authorized users in an Org can quickly determine their exact role and profile in the Web Console.
- Login into the Web Console
- Click on your name/email address on the top right
- Select Profile from the drop-down
The below example is for a user having an "Org Admin" role for "ALL PROJECTS".
The below example is for a user having an "Infra Admin" role for the "Production Project"
Determine User's Role as Org Admin¶
An Org Admin can quickly determine a user's role assignments.
- Navigate to System -> Users
- Search for the specific user
- View current role assignments
An illustrative example is shown below for a user. In this case, this user has an "Org Admin" role and has access to all projects in the Org.
Manage Roles¶
Org Administrators are responsible for assigning and managing roles for users in the Organizations. All changes and activities with user role assignments are audited and can be viewed in the Audit section. Users can be assigned roles in one of two ways providing flexibility in how organizations would like to manage access.
- By Group (Associate role to a specific group. Add/remove users to the group)
- Per User (Associate role to a specific user)
Manage Role By Group¶
Group based role assignments are well suited for handling a large number of users that need similar roles. For example, it is much easier to create a group called "developers", configure this group with the required role and manage users.
For example, when a new developer joins the organization, instead of taking on the burden of managing users one by one, the admin has to add this new developer to the "developer" group.
Review detailed documentation on Groups for information on managing roles by the group.
Manage Role Per User¶
In some cases, it may be required to manage roles with a "per user" granularity. Perform the below steps.
- Login into the Web Console as an Org Admin
- Select System -> Users
- Search and select the desired user
- If required, make any changes in the profile page and click Save
- Select the Projects tab
- Click Assign User To Project
- Select the project from the drop down
- Assign Role(s) and click SAVE & EXIT
- Click DISCARD CHANGES & EXIT to abort the process