Skip to content

Custom Roles

Custom roles allow Org Admins to overlay a specific set of ZTKA or ABAC policies to a base role (RBAC Role).

Important

Limited Access - ABAC (Attribute-based access) capability is enabled selectively for Orgs and is not available to all Prod Orgs.


Create New Role

Perform the below steps to create a new custom role:

  • Login to the console and navigate to System → Custom Roles. Custom Roles page appears
  • Click New Custom Role

New Custom Role

  • Provide a Name

  • Click Add Policy to select the required ABAC/ZTKA policies and their versions. Multiple policy selection is allowed

  • Select the Base Role

Important

For ABAC (Attribute-based access, only Namespace Admin and Namespace Read Only base roles are supported.

  • Click Save Changes

Custom Role

Once the details are saved, the policy is applied to the selected roles and listed as shown below. You can edit the details or delete the custom role if required using the respective icons

Listing

On successful custom role creation, now admins can assign the roles to the required users or groups


Custom Role behaviour in Shared projects

The behavior of role combinations involves the interaction among multiple roles assigned to users or entities across different projects. This interaction determines how their permissions and access rights are amalgamated, prioritized, and enforced within a cluster.

Below is an example illustrating how different roles are applied when executing kubectl commands on clusters within various projects:

Consider Project P1 and Project P2:

  • Cluster C1 exists in Project P1 and is shared with Project P2
  • User U1 has base role B1 and custom role CR1 attached to Project P1
  • User U1 has base role B2 attached to Project P2
  • When executing kubectl commands on Cluster C1:
    • Permissions defined by Custom Role CR1 and Base Role B2 are applied, while B1 is ignored

Important

  • If a user has both custom role and base role permissions within a project, the custom role takes precedence, and the base role is disregarded
  • For clusters shared between two projects, roles from both projects are combined