The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:
- Name: The name of a role displayed in the user interface (UI).
- Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
- Level: The specification of whether this role is scoped by the organization or a project.
- Type: The type of this role. For example, some possible values are
Role
,ProjectRole
,ClusterRole
, orProjectClusterRole
. - Binding type: The type of binding that you must apply to this role.
- Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
- Escalates to: The specification of whether this role escalates to other roles or not.
Role types
Consider the following key differences between the different role types when you assign roles:
- ClusterRole is a Kubernetes RBAC role at the cluster scope in admin or user clusters.
- Role is a Kubernetes RBAC role at the namespace scope in admin or user clusters.
- ProjectRole is a custom resource definition (CRD) with permission defined and is bound to user clusters and namespaces. Project roles propagate to user clusters as a Role there.
- ProjectClusterRole is a CRD with permission defined, that propagates to
all user clusters as a
ClusterRole
there.
Predefined identity and access roles tables
The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:
IO Persona, predefined identity and access roles
IO persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Security Admin | security-admin |
True | Organization | ClusterRole |
AIS Admin | ais-admin |
False | Organization | Role |
AIS Debugger | ais-debugger |
False | Organization | Role |
AIS Monitor | ais-monitor |
False | Organization | Role |
DNS Admin | dns-admin |
False | Organization | ClusterRole |
DNS Debugger | dns-debugger-root |
False | Organization | ClusterRole |
DNS Monitor | dns-monitor |
False | Organization | ClusterRole |
DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | ClusterRole |
Emergency SSH Creds Admin | emergencysshcreds-admin |
False | Organization | Role |
Grafana Viewer | grafana-viewer |
False | Organization | ClusterRole |
Grafana Debugger | grafana-debugger |
False | Project | ProjectRole |
Hardware Admin | hardware-admin |
False | Organization | ClusterRole |
Kiali Admin | kiali-admin |
False | Organization | ClusterRole |
KUB Monitor | kub-monitor |
False | Organization | ClusterRole |
Observability Admin | observability-admin |
False | Organization | Role |
Observability Debugger | observability-debugger |
False | Organization | OrganizationRole |
Observability System Debugger | observability-system-debugger |
False | Organization | OrganizationRole |
Observability Viewer | observability-viewer |
False | Organization | Role |
OCLCM Debugger | oclcm-debugger-root |
False | Organization | ClusterRole |
OCLCM Viewer | oclcm-viewer-root |
False | Organization | ClusterRole |
Organization Admin | organization-admin |
False | Organization | ClusterRole |
Organization System Artifact Management Admin | organization-system-artifact-management-admin |
False | Organization | Role |
Organization System Artifact Management Debugger | organization-system-artifact-management-debugger |
False | Organization | ClusterRole |
PNET Debugger | pnet-debugger |
False | Organization | ClusterRole |
PNET Monitor | pnet-monitor |
False | Organization | ClusterRole |
Policy Admin | policy-admin |
False | Organization | ClusterRole |
Remote Logger Admin | remote-logger-admin |
False | Organization | Role |
Remote Logger Viewer | remote-logger-viewer |
False | Organization | Role |
Root Cortex Alertmanager Editor | root-cortex-alertmanager-editor |
False | Organization | Role |
Root Cortex Alertmanager Viewer | root-cortex-alertmanager-viewer |
False | Organization | Role |
Root Cortex Prometheus Viewer | root-cortex-prometheus-viewer |
False | Organization | Role |
Root Session Admin | root-session-admin |
False | Organization | Role |
Security Viewer | security-viewer |
False | Organization | ClusterRole |
Service Now Admin | service-now-admin |
False | Project | Role |
Service Now Admin | service-now-admin |
False | Project | ProjectRole |
System Artifact Management Admin | system-artifact-management-admin |
False | Organization | Role |
System Artifact Management Secrets Admin | system-artifact-management-secrets-admin |
False | Organization | Role |
System Artifact Registry Harbor Admin | sar-harbor-admin |
False | Organization | Role |
System Artifact Registry Harbor Read | sar-harbor-read |
False | Organization | Role |
System Artifact Registry Harbor ReadWrite | sar-harbor-readwrite |
False | Organization | Role |
System Artifact Registry Debugger | sar-debugger-root |
False | Organization | ClusterRole |
System Artifact Registry Monitor | sar-monitor-root |
False | Organization | ClusterRole |
System Cluster Admin | system-cluster-admin |
False | Organization | OrganizationRole |
System Cluster DNS Debugger | system-cluster-dns-debugger |
False | Organization | OrganizationRole |
System Cluster Viewer | system-cluster-viewer |
False | Organization | OrganizationRole |
System Project VirtualMachine Admin | system-project-vm-admin |
False | Role | Role |
Transfer Appliance Request Admin | transfer-appliance-request-admin |
False | Organization | ClusterRole |
UNET CLI Org Admin Monitor | unet-cli-org-admin-monitor |
False | Organization | ClusterRole |
UNET CLI Root Admin Monitor | unet-cli-root-admin-monitor |
False | Organization | ClusterRole |
UNET CLI System Monitor | unet-cli-system-monitor |
False | Organization | OrganizationRole |
UNET CLI User Monitor | unet-cli-user-monitor |
False | Organization | OrganizationRole |
Upgrade Admin | upgrade-admin |
False | Organization | ClusterRole |
Upgrade Debugger | upgrade-debugger |
False | Organization | OrganizationRole |
User Cluster DNS Debugger | user-cluster-dns-debugger |
False | Organization | OrganizationRole |
IO persona, predefined identity, and access roles
IO persona | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
Security Admin | ClusterRoleBinding |
|
N/A | Org IAM Admin and all other IO roles |
AIS Admin | RoleBinding |
|
N/A | N/A |
AIS Debugger | RoleBinding |
AIS resources: Create, read, update, delete, and patch | N/A | N/A |
AIS Monitor | RoleBinding |
AIS resources in iam-system namespace: Read and write |
N/A | N/A |
DNS Admin | ClusterRoleBinding |
|
N/A | N/A |
DNS Debugger | ClusterRoleBinding |
|
N/A | N/A |
DNS Monitor | ClusterRoleBinding |
N/A | Configmaps, secrets, DNS Registration API, DNS services, DNS deployments: Read | N/A |
DNS Suffix Viewer | ClusterRoleBinding |
N/A | DNS suffix configmap: Read | N/A |
Emergency SSH Creds Admin | RoleBinding |
N/A | EmergencySshCredentials: Create, read, and patch |
N/A |
Grafana Debugger | ProjectRoleBinding |
Apps, deployments, stateful sets, and pods: Read, update, delete, and patch | Apps, deployments, stateful sets, and pods:: Read, update, delete, and patch | N/A |
Grafana Viewer | RoleBinding |
GrafanaSystem and Grafana: Read and write |
N/A | N/A |
Hardware Admin | ClusterRoleBinding |
Hardware-related CRD: Read and write | N/A | N/A |
Kiali Admin | RoleBinding |
N/A |
|
N/A |
KUB Monitor | ClusterRoleBinding |
KUB resources: Read | N/A | N/A |
Observability Admin | RoleBinding |
|
|
N/A |
Observability Debugger | OrganizationRoleBinding |
|
N/A | N/A |
Observability System Debugger | OrganizationRoleBinding |
|
N/A | N/A |
Observability Viewer | RoleBinding |
obs-system namespace: Read |
obs-system namespace: Read |
N/A |
OCLCM Debugger | ClusterRoleBinding |
oclcm-debugger :
|
oclcm-debugger-root :
|
N/A |
OCLCM Viewer | ClusterRoleBinding |
oclcm-viewer :
|
oclcm-viewer-root :
|
N/A |
Organization Admin | ClusterRoleBinding |
|
N/A | N/A |
Organization System Artifact Management Admin | RoleBinding |
|
N/A | N/A |
PNET Debugger | ClusterRoleBinding |
N/A |
|
N/A |
PNET Monitor | ClusterRoleBinding |
N/A | PNET deployments, deployment logs, pods, pod logs, subnet claims, and switches: Read | N/A |
Policy Admin | ClusterRoleBinding |
Constraints: Create, edit, and delete | N/A | N/A |
Remote Logger Admin | RoleBinding |
Deployments: Read, update, patch, and delete | Deployments: Read, update, patch, and delete | N/A |
Remote Logger Viewer | RoleBinding |
Deployments: Read | Deployments: Read | N/A |
Root Cortex Alertmanager Editor | RoleBinding |
N/A | Cortex Alertmanager, logging rules, and monitoring rules custom resources: Create, delete, read, patch, and update | N/A |
Root Cortex Alertmanager Viewer | RoleBinding |
N/A | Cortex Alertmanager, logging rules, and monitoring rules custom resources: Read | N/A |
Root Cortex Prometheus Viewer | RoleBinding |
N/A | Cortex system and Cortex Prometheus: Read | N/A |
Root Session Admin | RoleBinding |
N/A | Istio resource manager: Create, read, update, delete, and patch | N/A |
Security Viewer | ClusterRoleBinding |
|
N/A | N/A |
Service Now Admin | RoleBinding |
Dnsregistrations , Projectnetworkpolicies , Virtualservices , Envoyfilters , Destinationrules , Monitoringtargets , Monitoringrules , and Dashboards : Read and write |
N/A | N/A |
Service Now Admin | ProjectRoleBinding |
N/A | Services, configmaps, pod logs, and secrets: Read and write | N/A |
System Artifact Management Admin | RoleBinding |
HarborProjects : Admin, create, read, write, delete, and view |
|
N/A |
System Artifact Management Secrets Admin | RoleBinding |
N/A |
|
N/A |
System Artifact Registry Harbor Admin | RoleBinding |
Harbor projects: Create, read, update, patch, and delete | Harbor projects: Create, read, update, patch, and delete | N/A |
System Cluster Admin | OrganizationRoleBinding |
N/A | System cluster: Create, delete, update, and read | N/A |
System Artifact Registry Harbor Read | RoleBinding |
N/A | Harbor projects: Read | N/A |
System Artifact Registry Harbor ReadWrite | RoleBinding |
N/A | Harbor projects: Create, read, and write | N/A |
System Artifact Registry Debugger | ClusterRoleBinding |
N/A> |
|
N/A |
System Artifact Registry Monitor | ClusterRoleBinding |
N/A | Harbor clusters, secrets, and CRDs: Read | N/A |
System Cluster DNS Debugger | OrganizationRoleBinding |
N/A |
|
N/A |
System Cluster Viewer | OrganizationRoleBinding |
N/A | System cluster: Read and write | N/A |
Transfer Appliance Request Admin | ClusterRoleBinding |
Transferappliancerequests : Read and write |
N/A | N/A |
UNET CLI Org Admin Monitor | ClusterRoleBinding |
|
N/A | N/A |
UNET CLI Root Admin Monitor | ClusterRoleBinding |
N/A |
|
N/A |
UNET CLI System Monitor | OrganizationRoleBinding |
N/A |
|
N/A |
UNET CLI User Monitor | OrganizationRoleBinding |
N/A |
|
N/A |
Upgrade Admin | ClusterRoleBinding |
N/A |
|
N/A |
Upgrade Debugger | OrganizationRoleBinding |
N/A |
|
N/A |
User Cluster DNS Debugger | OrganizationRoleBinding |
N/A |
|
N/A |
PA Persona, predefined identity and access roles
PA persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Organization IAM Admin | organization-iam-admin |
True | Organization | ClusterRole |
Bucket Admin | bucket-admin |
False | Organization | ClusterRole |
Bucket Object Admin | bucket-object-admin |
False | Organization | ClusterRole |
Bucket Object Viewer | bucket-object-viewer |
False | Organization | ClusterRole |
GDCH Restrict By Attributes Policy Admin | gdchrestrictbyattributes-policy-admin |
False | Organization | ClusterRole |
GDCH Restricted Service Policy Admin | gdchrestrictedservice-policy-admin |
False | Organization | ClusterRole |
IdP Federation Admin | idp-federation-admin |
False | Organization | Role |
Marketplace Service Editor | marketplace-service-editor/code> |
False | Organization | ClusterRole |
Org Session Admin | org-session-admin |
False | Organization | Role |
Organization Grafana Viewer | organization-grafana-viewer |
False | Organization | ClusterRole |
Organization IAM Viewer | organization-iam-viewer |
False | Organization | ClusterRole |
Organization DB Admin | organization-db-admin |
False | Organization | ClusterRole |
Organization Upgrade Admin | organization-upgrade-admin |
False | Organization | ClusterRole |
Organization Upgrade Viewer | organization-upgrade-viewer |
False | Organization | ClusterRole |
Project Creator | project-creator |
False | Organization | ClusterRole |
Project Editor | project-editor |
False | Organization | ClusterRole |
Transfer Appliance Request Creator | transfer-appliance-request-creator |
False | Organization | ClusterRole |
User Cluster Admin | user-cluster-admin |
False | Organization | ClusterRole |
User Cluster Backup Admin | user-cluster-backup-admin |
False | Organization | OrganizationRole |
User Cluster Developer | user-cluster-developer |
False | Organization | OrganizationRole |
User Node Viewer | user-cluster-node-viewer |
False | Organization | OrganizationRole |
PA persona, predefined identity, and access roles
PA persona | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
Organization IAM Admin |
ClusterRoleBinding |
|
N/A | Project IAM Admin and all other PA roles |
Bucket Admin | ClusterRoleBinding |
Bucket and objects: Read and write | N/A | N/A |
Bucket Object Admin | ClusterRoleBinding |
|
N/A | N/A |
Bucket Object Viewer | ClusterRoleBinding |
Bucket and objects: Read | N/A | N/A |
GDCH Restrict By Attributes Policy Admin | ClusterRoleBinding |
GDCH restricted attributes policies: Create, edit, and delete | N/A | N/A |
GDCH Restricted Service Policy Manager | ClusterRoleBinding |
GDCH restricted service policies: Create, edit, and delete | N/A | N/A |
IdP Federation Admin | RoleBinding |
Identity provider configs and secrets: Create, read, update, patch, and delete | N/A | N/A |
Marketplace Service Editor | ClusterRoleBinding |
|
N/A | N/A |
Org Session Admin | RoleBinding |
Istio authorization resource: Create, read, update, and delete | N/A | N/A |
Organization Grafana Viewer | RoleBinding |
GrafanaSystem and Grafana: Read and write |
N/A | N/A |
Organization IAM Viewer |
ClusterRoleBinding |
|
N/A | N/A |
Organization DB Admin | ClusterRoleBinding |
|
N/A | N/A |
Organization Upgrade Admin | ClusterRoleBinding |
Maintenance windows: Get, list, watch, update, and patch | N/A | N/A |
Organization Upgrade Viewer | ClusterRoleBinding |
Maintenance windows: Get, list, and watch | N/A | N/A |
Project Creator | ClusterRoleBinding |
|
N/A | N/A |
Project Editor | ClusterRoleBinding |
|
N/A | N/A |
Transfer Appliance Request Creator | ClusterRoleBinding |
TransferApplianceRequest custom resource (CR): Read and create |
N/A | N/A |
User Cluster Admin | ClusterRoleBinding |
|
|
N/A |
User Cluster Backup Admin | OrganizationRoleBinding |
N/A |
|
N/A |
User Cluster Developer | OrganizationRoleBinding |
N/A | Clusters: Read and write | N/A |
User Cluster Node Viewer | OrganizationRoleBinding |
N/A | Clusters: Read | N/A |
AO Persona, predefined identity and access roles
AO persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Project IAM Admin | project-iam-admin |
True | Project | Role |
Artifact Management Admin | artifact-management-admin |
False | Project | Role |
Artifact Management Editor | artifact-management-editor |
False | Project | Role |
Dashboard Editor | dashboard-editor |
False | Project | Role |
Dashboard Viewer | dashboard-viewer |
False | Project | Role |
Harbor Instance Admin | harbor-instance-admin |
False | Project | Role |
Harbor Instance Viewer | harbor-instance-viewer |
False | Project | Role |
Kubernetes Network Policy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
Marketplace Editor | marketplace-editor |
False | Project | Role |
MonitoringRule Editor | monitoringrule-editor |
False | Project | Role |
MonitoringRule Viewer | monitoringrule-viewer |
False | Project | Role |
MonitoringTarget Editor | monitoringtarget-editor |
False | Project | Role |
MonitoringTarget Viewer | monitoringtarget-viewer |
False | Project | Role |
Namespace Admin | namespace-admin |
False | Project | ProjectRole |
ObservabilityPipeline Editor | observabilitypipeline-editor |
False | Project | Role |
ObservabilityPipeline Viewer | observabilitypipeline-viewer |
False | Project | Role |
Project Bucket Admin | project-bucket-admin |
False | Project | Role |
Project Bucket Object Admin | project-bucket-object-admin |
False | Project | Role |
Project Bucket Object Viewer | project-bucket-object-viewer |
False | Project | Role |
Project Cortex Alertmanager Viewer | project-cortex-alertmanager-viewer |
False | Project | Role |
Project Cortex Prometheus Viewer | project-cortex-prometheus-viewer |
False | Project | Role |
Project Grafana Viewer | project-grafana-viewer |
False | Project | Role |
Project Network Policy Admin | project-networkpolicy-admin |
False | Project | Role |
Project Viewer | project-viewer |
False | Project | Role |
Project VirtualMachine Admin | project-vm-admin |
False | Project | Role |
Project VirtualMachine Image Admin | project-vm-image-admin |
False | Project | Role |
Secret Admin | secret-admin |
False | Project | Role |
Secret Viewer | secret-viewer |
False | Project | Role |
AO persona, predefined identity, and access roles
AO persona | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
Project IAM Admin | RoleBinding |
|
N/A | All other AO roles |
Artifact Management Admin | RoleBinding |
HarborProjects : Admin, create, read, write, delete, and view |
N/A | N/A |
Artifact Management Editor | RoleBinding |
HarborProjects : Read, write, and view |
N/A | N/A |
Dashboard Editor | RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A | N/A |
Dashboard Viewer | RoleBinding |
Dashboard : Get and read |
N/A | N/A |
Harbor Instance Admin | RoleBinding |
Harbor instances: Create, read, update, delete, and patch | N/A | N/A |
Harbor Instance Viewer | RoleBinding |
Harbor instances: Read | N/A | N/A |
Kubernetes Network Policy Admin | ProjectRoleBinding |
N/A | Kubernetes network policies: Read and write in the user cluster | N/A |
Marketplace Editor | RoleBinding |
N/A | Service instances: Create, update, and delete | N/A |
MonitoringRule Editor | RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringRule Viewer | RoleBinding |
MonitoringRule custom resources: Read |
N/A | N/A |
MonitoringTarget Editor | RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringTarget Viewer | RoleBinding |
MonitoringTarget custom resources: Read |
N/A | N/A |
Namespace Admin | ProjectRoleBinding |
N/A | All resources: Read and write access in the project namespace, excluding the system cluster | N/A |
ObservabilityPipeline Editor | RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A | N/A |
ObservabilityPipeline Viewer | RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A | N/A |
Project Bucket Admin | RoleBinding |
Bucket: Read and write in the project namespace | N/A | N/A |
Project Bucket Object Admin | RoleBinding |
|
N/A | N/A |
Project Bucket Object Viewer | RoleBinding |
Bucket and objects: Read | N/A | N/A |
Project Cortex Alertmanager Viewer | RoleBinding |
Cortex system and Cortex Alertmanager: Read | N/A | N/A |
Project Cortex Prometheus Viewer | RoleBinding |
Cortex system and Cortex Prometheus: Read | N/A | N/A |
Project Grafana Viewer | RoleBinding |
Grafana system and Grafana: Read and write | N/A | N/A |
Project Network Policy Admin | RoleBinding |
Project network policies: Read and write in the project namespace | N/A | N/A |
Project Viewer | RoleBinding |
All resources in the project namespace: Read | N/A | N/A |
Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
Project VirtualMachine Image Admin | RoleBinding |
|
N/A | N/A |
Secret Admin | RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
Secret Viewer | RoleBinding |
Kubernetes secrets: Read | N/A | N/A |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
AIS Monitor | ais-monitor |
False | Organization | Role |
AIS Debugger | ais-debugger |
False | Organization | Role |
DNS Key Manager | dns-key-manager |
False | Organization | Role |
DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | Role |
IAM Debugger | iam-debugger |
False | Organization |
|
IAM Monitor | iam-monitor |
False | Organization |
|
Marketplace Service Viewer | marketplace-service-viewer |
False | Project | ClusterRole |
Marketplace Viewer | marketplace-viewer |
False | Project | ClusterRole |
Project Discovery Viewer | projectdiscovery-viewer |
False | Project | ClusterRole |
Public Image Viewer | public-image-viewer |
False | Organization | Role |
Virtual Machine Type Viewer | virtualmachinetype-viewer |
False | Organization | OrganizationRole |
VM Type Viewer | vmtype-viewer |
False | Organization | Role |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
AIS Monitor | RoleBinding |
GKE Identity Service resources: Read | N/A | N/A |
AIS Debugger | RoleBinding |
GKE Identity Service resources: Create, read, update, delete, and patch | N/A | N/A |
DNS Key Manager | RoleBinding |
Secrets and configmaps: Create, read, update, delete, and patch | N/A | N/A |
DNS Suffix Viewer | ClusterRoleBinding |
DNS suffix config maps: Read | N/A | N/A |
IAM Debugger | RoleBinding |
Role :
ClusterRole :
|
N/A | N/A |
IAM Monitor | RoleBinding |
Role :
ClusterRole :
|
N/A | N/A |
Marketplace Service Viewer | ClusterRoleBinding |
Marketplace services: Read | N/A | N/A |
Marketplace Viewer | ClusterRoleBinding |
Service versions and service instances: Read | N/A | N/A |
Project Discovery Viewer | ClusterRoleBinding |
Projects: Read | N/A | N/A |
Public Image Viewer | RoleBinding |
VM images: Read | N/A | N/A |
System Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
Virtual Machine Type Viewer | OrganizationRoleBinding |
N/A | VM types: Read | N/A |
VM Type Viewer | ClusterRoleBinding |
VM types: Read | N/A | N/A |