Users in an Org are associated with at least one role. The platform provides a number of roles that can be used to control what users can do in the platform.
Types of Roles¶
|Organization Admin||A privileged, super user type role that has access to everything in the Org. This user can view and manage all workload and infrastructure resources across all projects. Specifically, they have Read + Write access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons and blueprints.|
|Project Admin||A privileged role that is allowed to manage all workload resources in a Project. Specifically, they have Read + Write access to workloads, certificates, registries, secret stores and aggregation endpoints|
|Project Read Only||A Read Only version of the Project Admin role|
|Namespace Admin||A role that is allowed to access only specified namespaces|
|Namespace Read Only||A Read Only version of the Namespace Admin role|
|Infrastructure Admin||An infrastructure focused role who has Read and Write access to Clusters, Namespaces, Blueprints, Add-ons and Cloud Credentials|
|Infrastructure Read Only||A Read Only version of the Infrastructure Admin role|
We strongly recommend that customers have at least two active Organization Admins per Org
The image below shows the hierarchy of roles in a typical Org.
It is possible for users to be associated with multiple roles at the same time. In cases like this, the union of permissions associated with both roles is applied.
Determine Role as End User¶
Authorized users in an Org can quickly determine their exact role and profile in the Web Console.
- Login into the Web Console
- Click on your name/email address on the top right
- Select Profile from the drop down
The example below is for a user called "email@example.com" who has an "Org Admin" role.
The example below is for a user called "firstname.lastname@example.org" who has an "Infra Admin" role for the "Production Project"
Determine User's Role as Org Admin¶
An Org Admin can quickly determine a user's role assignments
- Navigate to System -> Users
- Search for the specific user
- View current role assignments
An illustrative example is shown below for a user. In this case, this user has an "Org Admin" role and has access to all projects in the Org.
Org Administrators are responsible for assigning and managing roles for users in the Organizations. All changes and activity with user role assignments are audited and can be viewed in the Audit section. Users can be assigned roles one of two ways providing flexibility in how organizations would like manage access.
- By Group (Associate role to specific group. Add/remove users to the group)
- Per User (Associate role to a specific user)
Manage Role By Group¶
Group based role assignments are well suited for handling large number of users that need similar roles. For example, it is a lot easier to create a group called "developers", configure this group with the required role and manage users in the group.
For example, when a new developer joins the organization, instead of taking on the burden of managing users one by one, the admin just has to add this new developer to the "developer" group.
Review detailed documentation on Groups for information on how to manage roles by group.
Manage Role Per User¶
In some cases, it may be required to manage roles with a "per user" granularity. Follow the steps described below.
- Login into the Web Console as an Org Admin
- Select System -> Users
Search for the user and click on user
Select the Projects tab
Role assignments are performed at a Project level
- Select the project from the drop down
- Assign Role(s)