Skip to content

Roles

Users in an Org are associated with at least one role. The platform provides a number of roles that can be used to control what users can do in the platform.


Types of Roles

Role Description
Organization Admin A privileged, super user type role that has access to everything in the Org. This user can view and manage all workload and infrastructure resources across all projects. Specifically, they have Read + Write access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons and blueprints.
Project Admin A privileged role that is allowed to manage all workload resources in a Project. Specifically, they have Read + Write access to workloads, certificates, registries, secret stores and aggregation endpoints
Project Read Only A Read Only version of the Project Admin role
Namespace Admin A role that is allowed to access only specified namespaces
Namespace Read Only A Read Only version of the Namespace Admin role
Infrastructure Admin An infrastructure focused role who has Read and Write access to Clusters, Namespaces, Blueprints, Add-ons and Cloud Credentials
Infrastructure Read Only A Read Only version of the Infrastructure Admin role

Important

We strongly recommend that customers have at least two active Organization Admins per Org

The image below shows the hierarchy of roles in a typical Org.

Hierarchy of Roles


Multiple Roles

It is possible for users to be associated with multiple roles at the same time. In cases like this, the union of permissions associated with both roles is applied.


Determine Role as End User

Authorized users in an Org can quickly determine their exact role and profile in the Web Console.

  • Login into the Web Console
  • Click on your name/email address on the top right
  • Select Profile from the drop down

The example below is for a user called "mohan@openc2.io" who has an "Org Admin" role.

User with Organization Admin Role

The example below is for a user called "jriley@openc2.co" who has an "Infra Admin" role for the "Production Project"

Infra Admin


Determine User's Role as Org Admin

An Org Admin can quickly determine a user's role assignments

  • Navigate to System -> Users
  • Search for the specific user
  • View current role assignments

An illustrative example is shown below for a user. In this case, this user has an "Org Admin" role and has access to all projects in the Org.

Add User with Organization Admin Role


Manage Roles

Org Administrators are responsible for assigning and managing roles for users in the Organizations. All changes and activity with user role assignments are audited and can be viewed in the Audit section. Users can be assigned roles one of two ways providing flexibility in how organizations would like manage access.

  • By Group (Associate role to specific group. Add/remove users to the group)
  • Per User (Associate role to a specific user)

Manage Role By Group

Group based role assignments are well suited for handling large number of users that need similar roles. For example, it is a lot easier to create a group called "developers", configure this group with the required role and manage users in the group.

For example, when a new developer joins the organization, instead of taking on the burden of managing users one by one, the admin just has to add this new developer to the "developer" group.

Review detailed documentation on Groups for information on how to manage roles by group.


Manage Role Per User

In some cases, it may be required to manage roles with a "per user" granularity. Follow the steps described below.

  • Login into the Web Console as an Org Admin
  • Select System -> Users
  • Search for the user and click on user

  • Select the Projects tab

Role assignments are performed at a Project level Select Projects Tab

  • Select the project from the drop down

Projects Dropdown

  • Assign Role(s)

Assign Role