Role definitions

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

Name: The name of a role displayed in the user interface (UI).
Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
Level: The specification of whether this role is scoped by the organization or a project.
Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
Binding type: The type of binding that you must apply to this role.
Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
Escalates to: The specification of whether this role escalates to other roles or not.

Role types

Consider the following key differences between the different role types when you assign roles:

ClusterRole is a Kubernetes RBAC role at the cluster scope in admin or user clusters.
Role is a Kubernetes RBAC role at the namespace scope in admin or user clusters.
ProjectRole is a custom resource definition (CRD) with permission defined and is bound to user clusters and namespaces. Project roles propagate to user clusters as a Role there.
ProjectClusterRole is a CRD with permission defined, that propagates to all user clusters as a ClusterRole there.

Predefined identity and access roles tables

The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:

IO Persona, predefined identity and access roles

IO persona
Name	Kubernetes resource name	Initial admin	Level	Type
Security Admin	`security-admin`	True	Organization	`ClusterRole`
AIS Admin	`ais-admin`	False	Organization	`Role`
AIS Debugger	`ais-debugger`	False	Organization	`Role`
AIS Monitor	`ais-monitor`	False	Organization	`Role`
DNS Admin	`dns-admin`	False	Organization	`ClusterRole`
DNS Debugger	`dns-debugger-root`	False	Organization	`ClusterRole`
DNS Monitor	`dns-monitor`	False	Organization	`ClusterRole`
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization	`ClusterRole`
Emergency SSH Creds Admin	`emergencysshcreds-admin`	False	Organization	`Role`
Grafana Viewer	`grafana-viewer`	False	Organization	`ClusterRole`
Grafana Debugger	`grafana-debugger`	False	Project	`ProjectRole`
Hardware Admin	`hardware-admin`	False	Organization	`ClusterRole`
Kiali Admin	`kiali-admin`	False	Organization	`ClusterRole`
KUB Monitor	`kub-monitor`	False	Organization	`ClusterRole`
Observability Admin	`observability-admin`	False	Organization	`Role`
Observability Debugger	`observability-debugger`	False	Organization	`OrganizationRole`
Observability System Debugger	`observability-system-debugger`	False	Organization	`OrganizationRole`
Observability Viewer	`observability-viewer`	False	Organization	`Role`
OCLCM Debugger	`oclcm-debugger-root`	False	Organization	`ClusterRole`
OCLCM Viewer	`oclcm-viewer-root`	False	Organization	`ClusterRole`
Organization Admin	`organization-admin`	False	Organization	`ClusterRole`
Organization System Artifact Management Admin	`organization-system-artifact-management-admin`	False	Organization	`Role`
Organization System Artifact Management Debugger	`organization-system-artifact-management-debugger`	False	Organization	`ClusterRole`
PNET Debugger	`pnet-debugger`	False	Organization	`ClusterRole`
PNET Monitor	`pnet-monitor`	False	Organization	`ClusterRole`
Policy Admin	`policy-admin`	False	Organization	`ClusterRole`
Remote Logger Admin	`remote-logger-admin`	False	Organization	`Role`
Remote Logger Viewer	`remote-logger-viewer`	False	Organization	`Role`
Root Cortex Alertmanager Editor	`root-cortex-alertmanager-editor`	False	Organization	`Role`
Root Cortex Alertmanager Viewer	`root-cortex-alertmanager-viewer`	False	Organization	`Role`
Root Cortex Prometheus Viewer	`root-cortex-prometheus-viewer`	False	Organization	`Role`
Root Session Admin	`root-session-admin`	False	Organization	`Role`
Security Viewer	`security-viewer`	False	Organization	`ClusterRole`
Service Now Admin	`service-now-admin`	False	Project	`Role`
Service Now Admin	`service-now-admin`	False	Project	`ProjectRole`
System Artifact Management Admin	`system-artifact-management-admin`	False	Organization	`Role`
System Artifact Management Secrets Admin	`system-artifact-management-secrets-admin`	False	Organization	`Role`
System Artifact Registry Harbor Admin	`sar-harbor-admin`	False	Organization	`Role`
System Artifact Registry Harbor Read	`sar-harbor-read`	False	Organization	`Role`
System Artifact Registry Harbor ReadWrite	`sar-harbor-readwrite`	False	Organization	`Role`
System Artifact Registry Debugger	`sar-debugger-root`	False	Organization	`ClusterRole`
System Artifact Registry Monitor	`sar-monitor-root`	False	Organization	`ClusterRole`
System Cluster Admin	`system-cluster-admin`	False	Organization	`OrganizationRole`
System Cluster DNS Debugger	`system-cluster-dns-debugger`	False	Organization	`OrganizationRole`
System Cluster Viewer	`system-cluster-viewer`	False	Organization	`OrganizationRole`
System Project VirtualMachine Admin	`system-project-vm-admin`	False	Role	`Role`
Transfer Appliance Request Admin	`transfer-appliance-request-admin`	False	Organization	`ClusterRole`
UNET CLI Org Admin Monitor	`unet-cli-org-admin-monitor`	False	Organization	`ClusterRole`
UNET CLI Root Admin Monitor	`unet-cli-root-admin-monitor`	False	Organization	`ClusterRole`
UNET CLI System Monitor	`unet-cli-system-monitor`	False	Organization	`OrganizationRole`
UNET CLI User Monitor	`unet-cli-user-monitor`	False	Organization	`OrganizationRole`
Upgrade Admin	`upgrade-admin`	False	Organization	`ClusterRole`
Upgrade Debugger	`upgrade-debugger`	False	Organization	`OrganizationRole`
User Cluster DNS Debugger	`user-cluster-dns-debugger`	False	Organization	`OrganizationRole`

IO persona, predefined identity, and access roles

IO persona
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
Security Admin	`ClusterRoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `OrganizationClusterRole`, `ProjectRoleBinding`, and `OrganizationRoleBinding`: Create, read, update, and delete GKE Identity Service custom resources (CR): Read and write	N/A	Org IAM Admin and all other IO roles
AIS Admin	`RoleBinding`	GKE Identity Service pods deployments: Read and write AIS encryption secret: Delete	N/A	N/A
AIS Debugger	`RoleBinding`	AIS resources: Create, read, update, delete, and patch	N/A	N/A
AIS Monitor	`RoleBinding`	AIS resources in `iam-system` namespace: Read and write	N/A	N/A
DNS Admin	`ClusterRoleBinding`	DNS files and security keys: Create, read, update, and delete `DNSRegistration` custom resources (CR): Create, read, and update DNS services and resolver: Read and update	N/A	N/A
DNS Debugger	`ClusterRoleBinding`	Configmaps and secrets: Create, read, and delete DNS registrations: Create and read Services: Read and update Deployments and deployment logs: Read, patch, and update Pods: Create and read Pod logs: Read	N/A	N/A
DNS Monitor	`ClusterRoleBinding`	N/A	Configmaps, secrets, DNS Registration API, DNS services, DNS deployments: Read	N/A
DNS Suffix Viewer	`ClusterRoleBinding`	N/A	DNS suffix configmap: Read	N/A
Emergency SSH Creds Admin	`RoleBinding`	N/A	`EmergencySshCredentials:` Create, read, and patch	N/A
Grafana Debugger	`ProjectRoleBinding`	Apps, deployments, stateful sets, and pods: Read, update, delete, and patch	Apps, deployments, stateful sets, and pods:: Read, update, delete, and patch	N/A
Grafana Viewer	`RoleBinding`	`GrafanaSystem` and Grafana: Read and write	N/A	N/A
Hardware Admin	`ClusterRoleBinding`	Hardware-related CRD: Read and write	N/A	N/A
Kiali Admin	`RoleBinding`	N/A	`Istio authorization`: Read and write	N/A
KUB Monitor	`ClusterRoleBinding`	KUB resources: Read	N/A	N/A
Observability Admin	`RoleBinding`	`obs-system` namespace: Read Anthos audit logs forwarder and Anthos log forwarder: Update, patch, and delete	`obs-system` namespace: Read `audit-logs-loki`, `loki`, `cortex`, `anthos-audit-logs-forwarder`, `anthos-log-forwarder`: Update, patch, and delete	N/A
Observability Debugger	`OrganizationRoleBinding`	Deployments, stateful sets, daemon sets, secrets, configmaps: Read, create, delete, patch, and update Certificates: Read	N/A	N/A
Observability System Debugger	`OrganizationRoleBinding`	Deployments, stateful sets, daemon sets, secrets, configmaps: Read, create, delete, patch, and update Certificates: Read	N/A	N/A
Observability Viewer	`RoleBinding`	`obs-system` namespace: Read	`obs-system` namespace: Read	N/A
OCLCM Debugger	`ClusterRoleBinding`	`oclcm-debugger`: Components: Create and read Component rollouts and subcomponents: Read, patch, and update Subcomponent overrides: Create, read, update, and patch	`oclcm-debugger-root`: Components: Create and read Component rollouts and subcomponents: Read, patch, and update Subcomponent overrides: Create, read, update, and patch	N/A
OCLCM Viewer	`ClusterRoleBinding`	`oclcm-viewer`: Components, component rollouts, subcomponents, subcomponent overrides: Read	`oclcm-viewer-root`: Components, component rollouts, subcomponents, and subcomponent overrides: Read	N/A
Organization Admin	`ClusterRoleBinding`	Organization custom resources (CR): Read and write Organization upgrade and release metadata: Read	N/A	N/A
Organization System Artifact Management Admin	`RoleBinding`	Harbor projects: Admin, read, write, view, create, and delete Harbor user credentials: Read, create, and delete	N/A	N/A
PNET Debugger	`ClusterRoleBinding`	N/A	PNET deployments and deployment logs: Read, patch, and update Pods, pod logs, subnet claims, and switches: Read	N/A
PNET Monitor	`ClusterRoleBinding`	N/A	PNET deployments, deployment logs, pods, pod logs, subnet claims, and switches: Read	N/A
Policy Admin	`ClusterRoleBinding`	Constraints: Create, edit, and delete	N/A	N/A
Remote Logger Admin	`RoleBinding`	Deployments: Read, update, patch, and delete	Deployments: Read, update, patch, and delete	N/A
Remote Logger Viewer	`RoleBinding`	Deployments: Read	Deployments: Read	N/A
Root Cortex Alertmanager Editor	`RoleBinding`	N/A	Cortex Alertmanager, logging rules, and monitoring rules custom resources: Create, delete, read, patch, and update	N/A
Root Cortex Alertmanager Viewer	`RoleBinding`	N/A	Cortex Alertmanager, logging rules, and monitoring rules custom resources: Read	N/A
Root Cortex Prometheus Viewer	`RoleBinding`	N/A	Cortex system and Cortex Prometheus: Read	N/A
Root Session Admin	`RoleBinding`	N/A	Istio resource manager: Create, read, update, delete, and patch	N/A
Security Viewer	`ClusterRoleBinding`	`RoleBinding` and `ClusterRoleBinding`: Read `Role` and `ClusterRole`: Read GKE Identity Service custom resources (CR): Read	N/A	N/A
Service Now Admin	`RoleBinding`	`Dnsregistrations`, `Projectnetworkpolicies`, `Virtualservices`, `Envoyfilters`, `Destinationrules`, `Monitoringtargets`, `Monitoringrules`, and `Dashboards`: Read and write	N/A	N/A
Service Now Admin	`ProjectRoleBinding`	N/A	Services, configmaps, pod logs, and secrets: Read and write	N/A
System Artifact Management Admin	`RoleBinding`	`HarborProjects`: Admin, create, read, write, delete, and view	Harbor projects and user credentials: Create, delete, and read `HarborProjects`: Admin, read, write Distribute artifacts: Create, delete, update, and read `image-label-map` configmap: Create, delete, update, and read Servers, trust store configmaps: Read	N/A
System Artifact Management Secrets Admin	`RoleBinding`	N/A	In-cluster registry: Read Upgrade registry mirror: Create, read, update, and delete	N/A
System Artifact Registry Harbor Admin	`RoleBinding`	Harbor projects: Create, read, update, patch, and delete	Harbor projects: Create, read, update, patch, and delete	N/A
System Cluster Admin	`OrganizationRoleBinding`	N/A	System cluster: Create, delete, update, and read	N/A
System Artifact Registry Harbor Read	`RoleBinding`	N/A	Harbor projects: Read	N/A
System Artifact Registry Harbor ReadWrite	`RoleBinding`	N/A	Harbor projects: Create, read, and write	N/A
System Artifact Registry Debugger	`ClusterRoleBinding`	N/A>	Harbor clusters, secrets, distribution policies, manual distribution, and configmaps: Create, read, update, patch and delete PVCs, pods, and Harbor robot accounts: Create, read, and delete Release metadata, organizations, database clusters, Harbor projects, certificates, servers, and clusters: Read Database and CRDs: Read and delete Deployments: Read, update, patch, and delete Persistent volumes: Read, update, and patch	N/A
System Artifact Registry Monitor	`ClusterRoleBinding`	N/A	Harbor clusters, secrets, and CRDs: Read	N/A
System Cluster DNS Debugger	`OrganizationRoleBinding`	N/A	Deployments and deployment logs: Read Pods: Create and read	N/A
System Cluster Viewer	`OrganizationRoleBinding`	N/A	System cluster: Read and write	N/A
Transfer Appliance Request Admin	`ClusterRoleBinding`	`Transferappliancerequests`: Read and write	N/A	N/A
UNET CLI Org Admin Monitor	`ClusterRoleBinding`	Networking resources, secrets, configmaps, Cilium endpoints, VMs, VM runtimes, clusters, and namespaces: Read Pods: Read and create	N/A	N/A
UNET CLI Root Admin Monitor	`ClusterRoleBinding`	N/A	Networking resources, secrets, configmaps, Cilium endpoints, and namespaces: Read Pods: Read and create	N/A
UNET CLI System Monitor	`OrganizationRoleBinding`	N/A	Networking resources, secrets, configmaps, Cilium endpoints, VMs, VM runtimes, deployments, clusters, namespaces, CRDs: Read Pods: Read and create	N/A
UNET CLI User Monitor	`OrganizationRoleBinding`	N/A	Networking resources, secrets, configmaps, Cilium endpoints, virtual machines (VM), VM runtimes, deployments, clusters, namespaces, CRDs: Read Pods: Read and create	N/A
Upgrade Admin	`ClusterRoleBinding`	N/A	Harbor CA cert secret and OS upgrade: Read `ReleaseMetadata` and `UserClusterMetadata`: Create and read `Servers`, and `AuditLoggingTargets`: Read Add-on upgrade, Configmaps, root admin cluster, CRDs: Read, update, and patch	N/A
Upgrade Debugger	`OrganizationRoleBinding`	N/A	Upgrade resources: Create, read, update, delete, and patch Harbor projects: Harbor-admin	N/A
User Cluster DNS Debugger	`OrganizationRoleBinding`	N/A	Deployments, Deployment logs, Pods, Pod logs: Read Pods: Create	N/A

PA Persona, predefined identity and access roles

PA persona
Name	Kubernetes resource name	Initial admin	Level	Type
Organization IAM Admin	`organization-iam-admin`	True	Organization	`ClusterRole`
Bucket Admin	`bucket-admin`	False	Organization	`ClusterRole`
Bucket Object Admin	`bucket-object-admin`	False	Organization	`ClusterRole`
Bucket Object Viewer	`bucket-object-viewer`	False	Organization	`ClusterRole`
GDCH Restrict By Attributes Policy Admin	`gdchrestrictbyattributes-policy-admin`	False	Organization	`ClusterRole`
GDCH Restricted Service Policy Admin	`gdchrestrictedservice-policy-admin`	False	Organization	`ClusterRole`
IdP Federation Admin	`idp-federation-admin`	False	Organization	`Role`
Marketplace Service Editor	`marketplace-service-editor/code>`	False	Organization	`ClusterRole`
Org Session Admin	`org-session-admin`	False	Organization	`Role`
Organization Grafana Viewer	`organization-grafana-viewer`	False	Organization	`ClusterRole`
Organization IAM Viewer	`organization-iam-viewer`	False	Organization	`ClusterRole`
Organization DB Admin	`organization-db-admin`	False	Organization	`ClusterRole`
Organization Upgrade Admin	`organization-upgrade-admin`	False	Organization	`ClusterRole`
Organization Upgrade Viewer	`organization-upgrade-viewer`	False	Organization	`ClusterRole`
Project Creator	`project-creator`	False	Organization	`ClusterRole`
Project Editor	`project-editor`	False	Organization	`ClusterRole`
Transfer Appliance Request Creator	`transfer-appliance-request-creator`	False	Organization	`ClusterRole`
User Cluster Admin	`user-cluster-admin`	False	Organization	`ClusterRole`
User Cluster Backup Admin	`user-cluster-backup-admin`	False	Organization	`OrganizationRole`
User Cluster Developer	`user-cluster-developer`	False	Organization	`OrganizationRole`
User Node Viewer	`user-cluster-node-viewer`	False	Organization	`OrganizationRole`

PA persona, predefined identity, and access roles

PA persona
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
Organization IAM Admin	`ClusterRoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `OrganizationClusterRole`, `ProjectRoleBinding`, and `OrganizationClusterRoleBinding`: Create, read, update, and delete List project namespace	N/A	Project IAM Admin and all other PA roles
Bucket Admin	`ClusterRoleBinding`	Bucket and objects: Read and write	N/A	N/A
Bucket Object Admin	`ClusterRoleBinding`	Bucket: Read Objects: Read and write	N/A	N/A
Bucket Object Viewer	`ClusterRoleBinding`	Bucket and objects: Read	N/A	N/A
GDCH Restrict By Attributes Policy Admin	`ClusterRoleBinding`	GDCH restricted attributes policies: Create, edit, and delete	N/A	N/A
GDCH Restricted Service Policy Manager	`ClusterRoleBinding`	GDCH restricted service policies: Create, edit, and delete	N/A	N/A
IdP Federation Admin	`RoleBinding`	Identity provider configs and secrets: Create, read, update, patch, and delete	N/A	N/A
Marketplace Service Editor	`ClusterRoleBinding`	Marketplace services: Read, update, and delete Cluster information: Read	N/A	N/A
Org Session Admin	`RoleBinding`	Istio authorization resource: Create, read, update, and delete	N/A	N/A
Organization Grafana Viewer	`RoleBinding`	`GrafanaSystem` and Grafana: Read and write	N/A	N/A
Organization IAM Viewer	`ClusterRoleBinding`	Role-based access control (RBAC) objects: Read `OrganizationClusterRole` and `OrganizationClusterRoleBinding`: Read	N/A	N/A
Organization DB Admin	`ClusterRoleBinding`	Secrets, database versions, flags, maintenance policies, and software libraries: Read Backup plans and database clusters: Create, read, update, and delete Imports and restores: Create, read, and delete	N/A	N/A
Organization Upgrade Admin	`ClusterRoleBinding`	Maintenance windows: Get, list, watch, update, and patch	N/A	N/A
Organization Upgrade Viewer	`ClusterRoleBinding`	Maintenance windows: Get, list, and watch	N/A	N/A
Project Creator	`ClusterRoleBinding`	Project custom resources (CR): Read and create Fleet CR: Read and create Clusters: Read	N/A	N/A
Project Editor	`ClusterRoleBinding`	Project custom resources (CR): Read, delete, patch, update, and view Fleet CR: Read and delete Cluster CR: Read	N/A	N/A
Transfer Appliance Request Creator	`ClusterRoleBinding`	`TransferApplianceRequest` custom resource (CR): Read and create	N/A	N/A
User Cluster Admin	`ClusterRoleBinding`	`AddressPoolClaims`: Create, read, update, and delete `UserClusterUpgrade`: Read and write `UserClusterMetadata`, `ClusterBgpRouters`, `InventoryMachines`, and project custom resources (CR): Read `CidrClaims`: Create, read, update, and delete `Namespace`: Create and delete `ClusterCidrConfigs` and clusters: Create, read, update, patch, and delete `NodeUpgrades`: Read, create, patch, and update `HarborClusters`, `Projects`, `UserClusterUpgradeRequests`: Read	`Clusters` and `NodePoolClaims`: Read and write `NodePools`, `MachineClasses`, `VirtualMachineTypes`, and `ClusterInfos`: Read	N/A
User Cluster Backup Admin	`OrganizationRoleBinding`	N/A	Manual backup and restore requests, delete backup requests, restores, and backup repositories: Create, read, delete, update, and patch Backup and restore plans: Create, read, and delete Backups, volume backups, and volume restores: Read `ClusterInfo` and namespaces: Read	N/A
User Cluster Developer	`OrganizationRoleBinding`	N/A	Clusters: Read and write	N/A
User Cluster Node Viewer	`OrganizationRoleBinding`	N/A	Clusters: Read	N/A

AO Persona, predefined identity and access roles

AO persona
Name	Kubernetes resource name	Initial admin	Level	Type
Project IAM Admin	`project-iam-admin`	True	Project	`Role`
Artifact Management Admin	`artifact-management-admin`	False	Project	`Role`
Artifact Management Editor	`artifact-management-editor`	False	Project	`Role`
Dashboard Editor	`dashboard-editor`	False	Project	`Role`
Dashboard Viewer	`dashboard-viewer`	False	Project	`Role`
Harbor Instance Admin	`harbor-instance-admin`	False	Project	`Role`
Harbor Instance Viewer	`harbor-instance-viewer`	False	Project	`Role`
Kubernetes Network Policy Admin	`k8s-networkpolicy-admin`	False	Project	`ProjectRole`
Marketplace Editor	`marketplace-editor`	False	Project	`Role`
MonitoringRule Editor	`monitoringrule-editor`	False	Project	`Role`
MonitoringRule Viewer	`monitoringrule-viewer`	False	Project	`Role`
MonitoringTarget Editor	`monitoringtarget-editor`	False	Project	`Role`
MonitoringTarget Viewer	`monitoringtarget-viewer`	False	Project	`Role`
Namespace Admin	`namespace-admin`	False	Project	`ProjectRole`
ObservabilityPipeline Editor	`observabilitypipeline-editor`	False	Project	`Role`
ObservabilityPipeline Viewer	`observabilitypipeline-viewer`	False	Project	`Role`
Project Bucket Admin	`project-bucket-admin`	False	Project	`Role`
Project Bucket Object Admin	`project-bucket-object-admin`	False	Project	`Role`
Project Bucket Object Viewer	`project-bucket-object-viewer`	False	Project	`Role`
Project Cortex Alertmanager Viewer	`project-cortex-alertmanager-viewer`	False	Project	`Role`
Project Cortex Prometheus Viewer	`project-cortex-prometheus-viewer`	False	Project	`Role`
Project Grafana Viewer	`project-grafana-viewer`	False	Project	`Role`
Project Network Policy Admin	`project-networkpolicy-admin`	False	Project	`Role`
Project Viewer	`project-viewer`	False	Project	`Role`
Project VirtualMachine Admin	`project-vm-admin`	False	Project	`Role`
Project VirtualMachine Image Admin	`project-vm-image-admin`	False	Project	`Role`
Secret Admin	`secret-admin`	False	Project	`Role`
Secret Viewer	`secret-viewer`	False	Project	`Role`

AO persona, predefined identity, and access roles

AO persona
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
Project IAM Admin	`RoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `ProjectClusterRole`, `ProjectRoleBinding`, and `ProjectClusterRoleBinding`: Create, read, update, delete, and bind `ProjectServiceAccount`: Create, read, update, and delete List project namespace	N/A	All other AO roles
Artifact Management Admin	`RoleBinding`	`HarborProjects`: Admin, create, read, write, delete, and view	N/A	N/A
Artifact Management Editor	`RoleBinding`	`HarborProjects`: Read, write, and view	N/A	N/A
Dashboard Editor	`RoleBinding`	`Dashboard` custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	`RoleBinding`	`Dashboard`: Get and read	N/A	N/A
Harbor Instance Admin	`RoleBinding`	Harbor instances: Create, read, update, delete, and patch	N/A	N/A
Harbor Instance Viewer	`RoleBinding`	Harbor instances: Read	N/A	N/A
Kubernetes Network Policy Admin	`ProjectRoleBinding`	N/A	Kubernetes network policies: Read and write in the user cluster	N/A
Marketplace Editor	`RoleBinding`	N/A	Service instances: Create, update, and delete	N/A
MonitoringRule Editor	`RoleBinding`	`MonitoringRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	`RoleBinding`	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget Editor	`RoleBinding`	`MonitoringTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	`RoleBinding`	`MonitoringTarget` custom resources: Read	N/A	N/A
Namespace Admin	`ProjectRoleBinding`	N/A	All resources: Read and write access in the project namespace, excluding the system cluster	N/A
ObservabilityPipeline Editor	`RoleBinding`	`ObservabilityPipeline` resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	`RoleBinding`	`ObservabilityPipeline` resources: Get and read	N/A	N/A
Project Bucket Admin	`RoleBinding`	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	`RoleBinding`	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	`RoleBinding`	Bucket and objects: Read	N/A	N/A
Project Cortex Alertmanager Viewer	`RoleBinding`	Cortex system and Cortex Alertmanager: Read	N/A	N/A
Project Cortex Prometheus Viewer	`RoleBinding`	Cortex system and Cortex Prometheus: Read	N/A	N/A
Project Grafana Viewer	`RoleBinding`	Grafana system and Grafana: Read and write	N/A	N/A
Project Network Policy Admin	`RoleBinding`	Project network policies: Read and write in the project namespace	N/A	N/A
Project Viewer	`RoleBinding`	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	`RoleBinding`	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	`RoleBinding`	VM images: Read VM image imports: Read and write	N/A	N/A
Secret Admin	`RoleBinding`	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	`RoleBinding`	Kubernetes secrets: Read	N/A	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level	Type
AIS Monitor	`ais-monitor`	False	Organization	`Role`
AIS Debugger	`ais-debugger`	False	Organization	`Role`
DNS Key Manager	`dns-key-manager`	False	Organization	`Role`
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization	`Role`
IAM Debugger	`iam-debugger`	False	Organization	`Role` `ClusterRole`
IAM Monitor	`iam-monitor`	False	Organization	`Role` `ClusterRole`
Marketplace Service Viewer	`marketplace-service-viewer`	False	Project	`ClusterRole`
Marketplace Viewer	`marketplace-viewer`	False	Project	`ClusterRole`
Project Discovery Viewer	`projectdiscovery-viewer`	False	Project	`ClusterRole`
Public Image Viewer	`public-image-viewer`	False	Organization	`Role`
Virtual Machine Type Viewer	`virtualmachinetype-viewer`	False	Organization	`OrganizationRole`
VM Type Viewer	`vmtype-viewer`	False	Organization	`Role`

Common predefined identity and access roles

Common roles
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
AIS Monitor	`RoleBinding`	GKE Identity Service resources: Read	N/A	N/A
AIS Debugger	`RoleBinding`	GKE Identity Service resources: Create, read, update, delete, and patch	N/A	N/A
DNS Key Manager	`RoleBinding`	Secrets and configmaps: Create, read, update, delete, and patch	N/A	N/A
DNS Suffix Viewer	`ClusterRoleBinding`	DNS suffix config maps: Read	N/A	N/A
IAM Debugger	`RoleBinding`	`Role`: IAM resources in `iam-system` namespace: Create, read, update, delete, and patch `ClusterRole`: Identity provider configs, client configs, roles, cluster roles, organization roles, project roles, organization role bindings, project role bindings: Create, read, update, delete, and patch	N/A	N/A
IAM Monitor	`RoleBinding`	`Role`: IAM resources in `iam-system` namespace: Read `ClusterRole`: Identity provider configs, client configs, `IoAuthMethods`, cluster role templates, role templates, role templates, project role templates, organization role templates, role bindings, roles, cluster role bindings, cluster roles, organization roles, project roles, organization role bindings, project role bindings: Read	N/A	N/A
Marketplace Service Viewer	`ClusterRoleBinding`	Marketplace services: Read	N/A	N/A
Marketplace Viewer	`ClusterRoleBinding`	Service versions and service instances: Read	N/A	N/A
Project Discovery Viewer	`ClusterRoleBinding`	Projects: Read	N/A	N/A
Public Image Viewer	`RoleBinding`	VM images: Read	N/A	N/A
System Project VirtualMachine Admin	`RoleBinding`	VMs, VM disks, VM access requests, and VM external access: Create, get, read, update, delete, and patch VM backup templates, VM backup requests, VM restore requests, and VM delete backup requests: Create, read, and delete VM backup plans, VM restores: Get, read, and delete VM backups and VM images: Get and read VM restart: Update	N/A	N/A
Virtual Machine Type Viewer	`OrganizationRoleBinding`	N/A	VM types: Read	N/A
VM Type Viewer	`ClusterRoleBinding`	VM types: Read	N/A	N/A