Skip to content

Roles

Users in an Org are associated with at least one role. The platform provides several roles that can be used to control what users can do in the platform.

Types of Roles

Role Description
Organization Admin A privileged, super user type role with access to everything in the Org. This user can view, manage all workload and infrastructure resources across all projects. Specifically, they have Read + Write access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons, and blueprints.
Org Admin Read Only A privileged role has only Read access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons, and blueprints
Project Admin A privileged role allowed to manage all workload resources in a Project. Specifically, they have Read + Write access to workloads, certificates, registries, secret stores, and aggregation endpoints
Project Read Only A Read Only version of the Project Admin role
Cluster Admin A privileged role allowed to build clusters in a Project. Specifically, Cluster Admins has read only infrastructure access + Cluster CRUD (Create, Read, Update, and Delete) operations
Namespace Admin A role allowed to view only the user specified namespaces, and policy violations, but not allowed to create a new namespace. Allowed to perform end-to-end (create, publish/unpublish, edit, delete) actions on workloads with the user selected namespace(s). Specifically, they can view only the Resources that are associated with the selected namespace(s)
Namespace Read Only A Read Only version of the Namespace Admin role
Infrastructure Admin An infrastructure focused role who has Read and Write access to Clusters, Namespaces, Blueprints, Add-ons, and Cloud Credentials
Infrastructure Read Only A Read Only version of the Infrastructure Admin role

Important

We strongly recommend that customers have at least two active Organization Admins per Org

The image below shows the hierarchy of roles in a typical Org.

Hierarchy of Roles

Multiple Roles

Users can be associated with multiple roles at the same time. In such scenarios, the union of the permissions associated with both roles is applied.

Determine Role as End User

Authorized users in an Org can quickly determine their exact role and profile in the Web Console.

  • Login into the Web Console
  • Click on your name/email address on the top right
  • Select Profile from the drop-down

The below example is for a user having an "Org Admin" role for "ALL PROJECTS".

User with Organization Admin Role

The below example is for a user having an "Infra Admin" role for the "Production Project"

Infra Admin

Determine User's Role as Org Admin

An Org Admin can quickly determine a user's role assignments.

  • Navigate to System -> Users
  • Search for the specific user
  • View current role assignments

An illustrative example is shown below for a user. In this case, this user has an "Org Admin" role and has access to all projects in the Org.

Add User with Organization Admin Role

Manage Roles

Org Administrators are responsible for assigning and managing roles for users in the Organizations. All changes and activities with user role assignments are audited and can be viewed in the Audit section. Users can be assigned roles in one of two ways providing flexibility in how organizations would like to manage access.

  • By Group (Associate role to a specific group. Add/remove users to the group)
  • Per User (Associate role to a specific user)

Manage Role By Group

Group based role assignments are well suited for handling a large number of users that need similar roles. For example, it is much easier to create a group called "developers", configure this group with the required role and manage users.

For example, when a new developer joins the organization, instead of taking on the burden of managing users one by one, the admin has to add this new developer to the "developer" group.

Review detailed documentation on Groups for information on managing roles by the group.

Manage Role Per User

In some cases, it may be required to manage roles with a "per user" granularity. Perform the below steps.

  • Login into the Web Console as an Org Admin
  • Select System -> Users
  • Search and select the desired user
  • If required, make any changes in the profile page and click Save

Select Projects Tab

  • Select the Projects tab
  • Click Assign User To Project

Projects Dropdown

  • Select the project from the drop down
  • Assign Role(s) and click SAVE & EXIT

Assign Role

  • Click DISCARD CHANGES & EXIT to abort the process