Application Operator roles
An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:
- Project IAM Admin: Manages the IAM allow policies of projects.
- Artifact Management Admin: Has admin access to resources in all Harbor projects in the project namespace.
- Artifact Management Editor: Has read and write access to resources in all Harbor projects in the project namespace.
- Dashboard Editor: Has read and write access on
Dashboardcustom resources. - Dashboard Viewer: Has read-only access on
Dashboardcustom resources. - Harbor Instance Admin: Has full access to manage Harbor instances in a project.
- Harbor Instance Viewer: Has read-only access to view Harbor instances in a project.
- K8s Network Policy Admin: Manages network policies in user clusters.
- Marketplace Editor: Has create, update, and delete access on service instances in a project.
- MonitoringRule Editor: Has read and write access to
MonitoringRuleresources. - MonitoringRule Viewer: Has read-only access to
MonitoringRulecustom resources. - MonitoringTarget Editor: Has read and write access to
MonitoringTargetcustom resources. - MonitoringTarget Viewer: Has read-only access to
MonitoringTargetcustom resources. - Namespace Admin: Manages all resources within the project namespace.
- ObservabilityPipeline Editor: Has read and write access on
ObservabilityPipeinecustom resources. - ObservabilityPipeline Viewer: Has read-only access on
ObservabilityPipelinecustom resources. - Project Bucket Admin: Manages the storage buckets and objects within buckets.
- Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.
- Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.
- Project Cortex Alertmanager Viewer: Grants permissions to access the Cortex Alertmanager instance in the project namespace.
- Project Cortex Prometheus Viewer: Grants permissions to access the Cortex Prometheus instance in the project namespace.
- Project Grafana Viewer: Accesses the Grafana instance in the project namespace of the fleet admin cluster.
- Project Network Policy Admin: Manages the project network policies in the project namespace.
- Project Viewer: Has read-only access to all resources within project namespaces.
- Project VirtualMachine Admin: Manages VMs in the project namespace.
- Project VirtualMachine Image Admin: Manages VM images in the project namespace.
- Secret Admin: Manages Kubernetes secrets in projects.
- Secret Viewer: Views Kubernetes secrets in projects.
Common roles
The following predefined common roles apply to all authenticated users:
- AIS Debugger: Has full access to all GKE Identity Service (AIS)
resources in the
iam-systemnamespace. - AIS Monitor: Has read-only access to all AIS resources in the
iam-systemnamespace. - DNS Key Manager: Has read and write permissions on resources
DNSSECkey configurations and key material. - DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
- IAM Debugger: Has read and write on all IAM resources for mitigation
in the
iam-systemnamespace for the role typeRoleandClusterRole. - IAM Monitor: Has read-only access to all Identity and Access Management (IAM) resources
in the
iam-systemnamespace for the role typeRoleandClusterRole. - Marketplace Service Viewer: Has read access for all authenticated users to Marketplace services in the system namespace.
- Marketplace Viewer: Has read-only access on service versions and service instances.
- Project Discovery Viewer: Has read access for all authenticated users to the project view.
- Public Image Viewer: Has read access for all authenticated users on the
public VM images in the namespace
vm-images. - Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
- VM Type Viewer: Has read access to the predefined virtual machine types on the admin clusters.