Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

Name: The name of a role displayed in the user interface (UI).
Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
Level: The specification of whether this role is scoped by the organization or a project.
Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
Binding type: The type of binding that you must apply to this role.
Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity and access roles

AO persona
Name	Kubernetes resource name	Initial admin	Level	Type
Project IAM Admin	`project-iam-admin`	True	Project	`Role`
Artifact Management Admin	`artifact-management-admin`	False	Project	`Role`
Artifact Management Editor	`artifact-management-editor`	False	Project	`Role`
Dashboard Editor	`dashboard-editor`	False	Project	`Role`
Dashboard Viewer	`dashboard-viewer`	False	Project	`Role`
Harbor Instance Admin	`harbor-instance-admin`	False	Project	`Role`
Harbor Instance Viewer	`harbor-instance-viewer`	False	Project	`Role`
Kubernetes Network Policy Admin	`k8s-networkpolicy-admin`	False	Project	`ProjectRole`
Marketplace Editor	`marketplace-editor`	False	Project	`Role`
MonitoringRule Editor	`monitoringrule-editor`	False	Project	`Role`
MonitoringRule Viewer	`monitoringrule-viewer`	False	Project	`Role`
MonitoringTarget Editor	`monitoringtarget-editor`	False	Project	`Role`
MonitoringTarget Viewer	`monitoringtarget-viewer`	False	Project	`Role`
Namespace Admin	`namespace-admin`	False	Project	`ProjectRole`
ObservabilityPipeline Editor	`observabilitypipeline-editor`	False	Project	`Role`
ObservabilityPipeline Viewer	`observabilitypipeline-viewer`	False	Project	`Role`
Project Bucket Admin	`project-bucket-admin`	False	Project	`Role`
Project Bucket Object Admin	`project-bucket-object-admin`	False	Project	`Role`
Project Bucket Object Viewer	`project-bucket-object-viewer`	False	Project	`Role`
Project Cortex Alertmanager Viewer	`project-cortex-alertmanager-viewer`	False	Project	`Role`
Project Cortex Prometheus Viewer	`project-cortex-prometheus-viewer`	False	Project	`Role`
Project Grafana Viewer	`project-grafana-viewer`	False	Project	`Role`
Project Network Policy Admin	`project-networkpolicy-admin`	False	Project	`Role`
Project Viewer	`project-viewer`	False	Project	`Role`
Project VirtualMachine Admin	`project-vm-admin`	False	Project	`Role`
Project VirtualMachine Image Admin	`project-vm-image-admin`	False	Project	`Role`
Secret Admin	`secret-admin`	False	Project	`Role`
Secret Viewer	`secret-viewer`	False	Project	`Role`

AO persona, predefined identity, and access roles

AO persona
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
Project IAM Admin	`RoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `ProjectClusterRole`, `ProjectRoleBinding`, and `ProjectClusterRoleBinding`: Create, read, update, delete, and bind `ProjectServiceAccount`: Create, read, update, and delete List project namespace	N/A	All other AO roles
Artifact Management Admin	`RoleBinding`	`HarborProjects`: Admin, create, read, write, delete, and view	N/A	N/A
Artifact Management Editor	`RoleBinding`	`HarborProjects`: Read, write, and view	N/A	N/A
Dashboard Editor	`RoleBinding`	`Dashboard` custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	`RoleBinding`	`Dashboard`: Get and read	N/A	N/A
Harbor Instance Admin	`RoleBinding`	Harbor instances: Create, read, update, delete, and patch	N/A	N/A
Harbor Instance Viewer	`RoleBinding`	Harbor instances: Read	N/A	N/A
Kubernetes Network Policy Admin	`ProjectRoleBinding`	N/A	Kubernetes network policies: Read and write in the user cluster	N/A
Marketplace Editor	`RoleBinding`	N/A	Service instances: Create, update, and delete	N/A
MonitoringRule Editor	`RoleBinding`	`MonitoringRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	`RoleBinding`	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget Editor	`RoleBinding`	`MonitoringTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	`RoleBinding`	`MonitoringTarget` custom resources: Read	N/A	N/A
Namespace Admin	`ProjectRoleBinding`	N/A	All resources: Read and write access in the project namespace, excluding the system cluster	N/A
ObservabilityPipeline Editor	`RoleBinding`	`ObservabilityPipeline` resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	`RoleBinding`	`ObservabilityPipeline` resources: Get and read	N/A	N/A
Project Bucket Admin	`RoleBinding`	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	`RoleBinding`	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	`RoleBinding`	Bucket and objects: Read	N/A	N/A
Project Cortex Alertmanager Viewer	`RoleBinding`	Cortex system and Cortex Alertmanager: Read	N/A	N/A
Project Cortex Prometheus Viewer	`RoleBinding`	Cortex system and Cortex Prometheus: Read	N/A	N/A
Project Grafana Viewer	`RoleBinding`	Grafana system and Grafana: Read and write	N/A	N/A
Project Network Policy Admin	`RoleBinding`	Project network policies: Read and write in the project namespace	N/A	N/A
Project Viewer	`RoleBinding`	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	`RoleBinding`	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	`RoleBinding`	VM images: Read VM image imports: Read and write	N/A	N/A
Secret Admin	`RoleBinding`	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	`RoleBinding`	Kubernetes secrets: Read	N/A	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level	Type
AIS Monitor	`ais-monitor`	False	Organization	`Role`
AIS Debugger	`ais-debugger`	False	Organization	`Role`
DNS Key Manager	`dns-key-manager`	False	Organization	`Role`
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization	`Role`
IAM Debugger	`iam-debugger`	False	Organization	`Role` `ClusterRole`
IAM Monitor	`iam-monitor`	False	Organization	`Role` `ClusterRole`
Marketplace Service Viewer	`marketplace-service-viewer`	False	Project	`ClusterRole`
Marketplace Viewer	`marketplace-viewer`	False	Project	`ClusterRole`
Project Discovery Viewer	`projectdiscovery-viewer`	False	Project	`ClusterRole`
Public Image Viewer	`public-image-viewer`	False	Organization	`Role`
Virtual Machine Type Viewer	`virtualmachinetype-viewer`	False	Organization	`OrganizationRole`
VM Type Viewer	`vmtype-viewer`	False	Organization	`Role`

Common predefined identity and access roles

Common roles
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
AIS Monitor	`RoleBinding`	GKE Identity Service resources: Read	N/A	N/A
AIS Debugger	`RoleBinding`	GKE Identity Service resources: Create, read, update, delete, and patch	N/A	N/A
DNS Key Manager	`RoleBinding`	Secrets and configmaps: Create, read, update, delete, and patch	N/A	N/A
DNS Suffix Viewer	`ClusterRoleBinding`	DNS suffix config maps: Read	N/A	N/A
IAM Debugger	`RoleBinding`	`Role`: IAM resources in `iam-system` namespace: Create, read, update, delete, and patch `ClusterRole`: Identity provider configs, client configs, roles, cluster roles, organization roles, project roles, organization role bindings, project role bindings: Create, read, update, delete, and patch	N/A	N/A
IAM Monitor	`RoleBinding`	`Role`: IAM resources in `iam-system` namespace: Read `ClusterRole`: Identity provider configs, client configs, `IoAuthMethods`, cluster role templates, role templates, role templates, project role templates, organization role templates, role bindings, roles, cluster role bindings, cluster roles, organization roles, project roles, organization role bindings, project role bindings: Read	N/A	N/A
Marketplace Service Viewer	`ClusterRoleBinding`	Marketplace services: Read	N/A	N/A
Marketplace Viewer	`ClusterRoleBinding`	Service versions and service instances: Read	N/A	N/A
Project Discovery Viewer	`ClusterRoleBinding`	Projects: Read	N/A	N/A
Public Image Viewer	`RoleBinding`	VM images: Read	N/A	N/A
System Project VirtualMachine Admin	`RoleBinding`	VMs, VM disks, VM access requests, and VM external access: Create, get, read, update, delete, and patch VM backup templates, VM backup requests, VM restore requests, and VM delete backup requests: Create, read, and delete VM backup plans, VM restores: Get, read, and delete VM backups and VM images: Get and read VM restart: Update	N/A	N/A
Virtual Machine Type Viewer	`OrganizationRoleBinding`	N/A	VM types: Read	N/A
VM Type Viewer	`ClusterRoleBinding`	VM types: Read	N/A	N/A