Role definitions

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
  • Binding type: The type of binding that you must apply to this role.
  • Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

Role types

Consider the following key differences between the different role types when you assign roles:

  • ClusterRole is a Kubernetes RBAC role at the cluster scope in admin or user clusters.
  • Role is a Kubernetes RBAC role at the namespace scope in admin or user clusters.
  • ProjectRole is a custom resource definition (CRD) with permission defined and is bound to user clusters and namespaces. Project roles propagate to user clusters as a Role there.
  • ProjectClusterRole is a CRD with permission defined, that propagates to all user clusters as a ClusterRole there.

Predefined identity and access roles tables

The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:

IO Persona, predefined identity and access roles

IO persona
Name Kubernetes resource name Initial admin Level Type
Security Admin security-admin True Organization ClusterRole
AIS Admin ais-admin False Organization Role
AIS Debugger ais-debugger False Organization Role
AIS Monitor ais-monitor False Organization Role
DNS Admin dns-admin False Organization ClusterRole
DNS Debugger dns-debugger-root False Organization ClusterRole
DNS Monitor dns-monitor False Organization ClusterRole
DNS Suffix Viewer dnssuffix-viewer False Organization ClusterRole
Emergency SSH Creds Admin emergencysshcreds-admin False Organization Role
Grafana Viewer grafana-viewer False Organization ClusterRole
Grafana Debugger grafana-debugger False Project ProjectRole
Hardware Admin hardware-admin False Organization ClusterRole
Kiali Admin kiali-admin False Organization ClusterRole
KUB Monitor kub-monitor False Organization ClusterRole
Observability Admin observability-admin False Organization Role
Observability Debugger observability-debugger False Organization OrganizationRole
Observability System Debugger observability-system-debugger False Organization OrganizationRole
Observability Viewer observability-viewer False Organization Role
OCLCM Debugger oclcm-debugger-root False Organization ClusterRole
OCLCM Viewer oclcm-viewer-root False Organization ClusterRole
Organization Admin organization-admin False Organization ClusterRole
Organization System Artifact Management Admin organization-system-artifact-management-admin False Organization Role
Organization System Artifact Management Debugger organization-system-artifact-management-debugger False Organization ClusterRole
PNET Debugger pnet-debugger False Organization ClusterRole
PNET Monitor pnet-monitor False Organization ClusterRole
Policy Admin policy-admin False Organization ClusterRole
Remote Logger Admin remote-logger-admin False Organization Role
Remote Logger Viewer remote-logger-viewer False Organization Role
Root Cortex Alertmanager Editor root-cortex-alertmanager-editor False Organization Role
Root Cortex Alertmanager Viewer root-cortex-alertmanager-viewer False Organization Role
Root Cortex Prometheus Viewer root-cortex-prometheus-viewer False Organization Role
Root Session Admin root-session-admin False Organization Role
Security Viewer security-viewer False Organization ClusterRole
Service Now Admin service-now-admin False Project Role
Service Now Admin service-now-admin False Project ProjectRole
System Artifact Management Admin system-artifact-management-admin False Organization Role
System Artifact Management Secrets Admin system-artifact-management-secrets-admin False Organization Role
System Artifact Registry Harbor Admin sar-harbor-admin False Organization Role
System Artifact Registry Harbor Read sar-harbor-read False Organization Role
System Artifact Registry Harbor ReadWrite sar-harbor-readwrite False Organization Role
System Artifact Registry Debugger sar-debugger-root False Organization ClusterRole
System Artifact Registry Monitor sar-monitor-root False Organization ClusterRole
System Cluster Admin system-cluster-admin False Organization OrganizationRole
System Cluster DNS Debugger system-cluster-dns-debugger False Organization OrganizationRole
System Cluster Viewer system-cluster-viewer False Organization OrganizationRole
System Project VirtualMachine Admin system-project-vm-admin False Role Role
Transfer Appliance Request Admin transfer-appliance-request-admin False Organization ClusterRole
UNET CLI Org Admin Monitor unet-cli-org-admin-monitor False Organization ClusterRole
UNET CLI Root Admin Monitor unet-cli-root-admin-monitor False Organization ClusterRole
UNET CLI System Monitor unet-cli-system-monitor False Organization OrganizationRole
UNET CLI User Monitor unet-cli-user-monitor False Organization OrganizationRole
Upgrade Admin upgrade-admin False Organization ClusterRole
Upgrade Debugger upgrade-debugger False Organization OrganizationRole
User Cluster DNS Debugger user-cluster-dns-debugger False Organization OrganizationRole

IO persona, predefined identity, and access roles

IO persona
Name Binding type Admin cluster permissions User cluster permissions Escalates to
Security Admin ClusterRoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, OrganizationClusterRole, ProjectRoleBinding, and OrganizationRoleBinding: Create, read, update, and delete
  • GKE Identity Service custom resources (CR): Read and write
N/A Org IAM Admin and all other IO roles
AIS Admin RoleBinding
  • GKE Identity Service pods deployments: Read and write
  • AIS encryption secret: Delete
N/A N/A
AIS Debugger RoleBinding AIS resources: Create, read, update, delete, and patch N/A N/A
AIS Monitor RoleBinding AIS resources in iam-system namespace: Read and write N/A N/A
DNS Admin ClusterRoleBinding
  • DNS files and security keys: Create, read, update, and delete
  • DNSRegistration custom resources (CR): Create, read, and update
  • DNS services and resolver: Read and update
N/A N/A
DNS Debugger ClusterRoleBinding
  • Configmaps and secrets: Create, read, and delete
  • DNS registrations: Create and read
  • Services: Read and update
  • Deployments and deployment logs: Read, patch, and update
  • Pods: Create and read
  • Pod logs: Read
N/A N/A
DNS Monitor ClusterRoleBinding N/A Configmaps, secrets, DNS Registration API, DNS services, DNS deployments: Read N/A
DNS Suffix Viewer ClusterRoleBinding N/A DNS suffix configmap: Read N/A
Emergency SSH Creds Admin RoleBinding N/A EmergencySshCredentials: Create, read, and patch N/A
Grafana Debugger ProjectRoleBinding Apps, deployments, stateful sets, and pods: Read, update, delete, and patch Apps, deployments, stateful sets, and pods:: Read, update, delete, and patch N/A
Grafana Viewer RoleBinding GrafanaSystem and Grafana: Read and write N/A N/A
Hardware Admin ClusterRoleBinding Hardware-related CRD: Read and write N/A N/A
Kiali Admin RoleBinding N/A
  • Istio authorization: Read and write
N/A
KUB Monitor ClusterRoleBinding KUB resources: Read N/A N/A
Observability Admin RoleBinding
  • obs-system namespace: Read
  • Anthos audit logs forwarder and Anthos log forwarder: Update, patch, and delete
  • obs-system namespace: Read
  • audit-logs-loki, loki, cortex, anthos-audit-logs-forwarder, anthos-log-forwarder: Update, patch, and delete
N/A
Observability Debugger OrganizationRoleBinding
  • Deployments, stateful sets, daemon sets, secrets, configmaps: Read, create, delete, patch, and update
  • Certificates: Read
N/A N/A
Observability System Debugger OrganizationRoleBinding
  • Deployments, stateful sets, daemon sets, secrets, configmaps: Read, create, delete, patch, and update
  • Certificates: Read
N/A N/A
Observability Viewer RoleBinding obs-system namespace: Read obs-system namespace: Read N/A
OCLCM Debugger ClusterRoleBinding oclcm-debugger:
  • Components: Create and read
  • Component rollouts and subcomponents: Read, patch, and update
  • Subcomponent overrides: Create, read, update, and patch
oclcm-debugger-root:
  • Components: Create and read
  • Component rollouts and subcomponents: Read, patch, and update
  • Subcomponent overrides: Create, read, update, and patch
N/A
OCLCM Viewer ClusterRoleBinding oclcm-viewer:
  • Components, component rollouts, subcomponents, subcomponent overrides: Read
oclcm-viewer-root:
  • Components, component rollouts, subcomponents, and subcomponent overrides: Read
N/A
Organization Admin ClusterRoleBinding
  • Organization custom resources (CR): Read and write
  • Organization upgrade and release metadata: Read
N/A N/A
Organization System Artifact Management Admin RoleBinding
  • Harbor projects: Admin, read, write, view, create, and delete
  • Harbor user credentials: Read, create, and delete
N/A N/A
PNET Debugger ClusterRoleBinding N/A
  • PNET deployments and deployment logs: Read, patch, and update
  • Pods, pod logs, subnet claims, and switches: Read
N/A
PNET Monitor ClusterRoleBinding N/A PNET deployments, deployment logs, pods, pod logs, subnet claims, and switches: Read N/A
Policy Admin ClusterRoleBinding Constraints: Create, edit, and delete N/A N/A
Remote Logger Admin RoleBinding Deployments: Read, update, patch, and delete Deployments: Read, update, patch, and delete N/A
Remote Logger Viewer RoleBinding Deployments: Read Deployments: Read N/A
Root Cortex Alertmanager Editor RoleBinding N/A Cortex Alertmanager, logging rules, and monitoring rules custom resources: Create, delete, read, patch, and update N/A
Root Cortex Alertmanager Viewer RoleBinding N/A Cortex Alertmanager, logging rules, and monitoring rules custom resources: Read N/A
Root Cortex Prometheus Viewer RoleBinding N/A Cortex system and Cortex Prometheus: Read N/A
Root Session Admin RoleBinding N/A Istio resource manager: Create, read, update, delete, and patch N/A
Security Viewer ClusterRoleBinding
  • RoleBinding and ClusterRoleBinding: Read
  • Role and ClusterRole: Read
  • GKE Identity Service custom resources (CR): Read
N/A N/A
Service Now Admin RoleBinding Dnsregistrations, Projectnetworkpolicies, Virtualservices, Envoyfilters, Destinationrules, Monitoringtargets, Monitoringrules, and Dashboards: Read and write N/A N/A
Service Now Admin ProjectRoleBinding N/A Services, configmaps, pod logs, and secrets: Read and write N/A
System Artifact Management Admin RoleBinding HarborProjects: Admin, create, read, write, delete, and view
  • Harbor projects and user credentials: Create, delete, and read
  • HarborProjects: Admin, read, write
  • Distribute artifacts: Create, delete, update, and read
  • image-label-map configmap: Create, delete, update, and read
  • Servers, trust store configmaps: Read
N/A
System Artifact Management Secrets Admin RoleBinding N/A
  • In-cluster registry: Read
  • Upgrade registry mirror: Create, read, update, and delete
N/A
System Artifact Registry Harbor Admin RoleBinding Harbor projects: Create, read, update, patch, and delete Harbor projects: Create, read, update, patch, and delete N/A
System Cluster Admin OrganizationRoleBinding N/A System cluster: Create, delete, update, and read N/A
System Artifact Registry Harbor Read RoleBinding N/A Harbor projects: Read N/A
System Artifact Registry Harbor ReadWrite RoleBinding N/A Harbor projects: Create, read, and write N/A
System Artifact Registry Debugger ClusterRoleBinding N/A>
  • Harbor clusters, secrets, distribution policies, manual distribution, and configmaps: Create, read, update, patch and delete
  • PVCs, pods, and Harbor robot accounts: Create, read, and delete
  • Release metadata, organizations, database clusters, Harbor projects, certificates, servers, and clusters: Read
  • Database and CRDs: Read and delete
  • Deployments: Read, update, patch, and delete
  • Persistent volumes: Read, update, and patch
N/A
System Artifact Registry Monitor ClusterRoleBinding N/A Harbor clusters, secrets, and CRDs: Read N/A
System Cluster DNS Debugger OrganizationRoleBinding N/A
  • Deployments and deployment logs: Read
  • Pods: Create and read
N/A
System Cluster Viewer OrganizationRoleBinding N/A System cluster: Read and write N/A
Transfer Appliance Request Admin ClusterRoleBinding Transferappliancerequests: Read and write N/A N/A
UNET CLI Org Admin Monitor ClusterRoleBinding
  • Networking resources, secrets, configmaps, Cilium endpoints, VMs, VM runtimes, clusters, and namespaces: Read
  • Pods: Read and create
N/A N/A
UNET CLI Root Admin Monitor ClusterRoleBinding N/A
  • Networking resources, secrets, configmaps, Cilium endpoints, and namespaces: Read
  • Pods: Read and create
N/A
UNET CLI System Monitor OrganizationRoleBinding N/A
  • Networking resources, secrets, configmaps, Cilium endpoints, VMs, VM runtimes, deployments, clusters, namespaces, CRDs: Read
  • Pods: Read and create
N/A
UNET CLI User Monitor OrganizationRoleBinding N/A
  • Networking resources, secrets, configmaps, Cilium endpoints, virtual machines (VM), VM runtimes, deployments, clusters, namespaces, CRDs: Read
  • Pods: Read and create
N/A
Upgrade Admin ClusterRoleBinding N/A
  • Harbor CA cert secret and OS upgrade: Read
  • ReleaseMetadata and UserClusterMetadata: Create and read
  • Servers, and AuditLoggingTargets: Read
  • Add-on upgrade, Configmaps, root admin cluster, CRDs: Read, update, and patch
N/A
Upgrade Debugger OrganizationRoleBinding N/A
  • Upgrade resources: Create, read, update, delete, and patch
  • Harbor projects: Harbor-admin
N/A
User Cluster DNS Debugger OrganizationRoleBinding N/A
  • Deployments, Deployment logs, Pods, Pod logs: Read
  • Pods: Create
N/A

PA Persona, predefined identity and access roles

PA persona
Name Kubernetes resource name Initial admin Level Type
Organization IAM Admin organization-iam-admin True Organization ClusterRole
Bucket Admin bucket-admin False Organization ClusterRole
Bucket Object Admin bucket-object-admin False Organization ClusterRole
Bucket Object Viewer bucket-object-viewer False Organization ClusterRole
GDCH Restrict By Attributes Policy Admin gdchrestrictbyattributes-policy-admin False Organization ClusterRole
GDCH Restricted Service Policy Admin gdchrestrictedservice-policy-admin False Organization ClusterRole
IdP Federation Admin idp-federation-admin False Organization Role
Marketplace Service Editor marketplace-service-editor/code> False Organization ClusterRole
Org Session Admin org-session-admin False Organization Role
Organization Grafana Viewer organization-grafana-viewer False Organization ClusterRole
Organization IAM Viewer organization-iam-viewer False Organization ClusterRole
Organization DB Admin organization-db-admin False Organization ClusterRole
Organization Upgrade Admin organization-upgrade-admin False Organization ClusterRole
Organization Upgrade Viewer organization-upgrade-viewer False Organization ClusterRole
Project Creator project-creator False Organization ClusterRole
Project Editor project-editor False Organization ClusterRole
Transfer Appliance Request Creator transfer-appliance-request-creator False Organization ClusterRole
User Cluster Admin user-cluster-admin False Organization ClusterRole
User Cluster Backup Admin user-cluster-backup-admin False Organization OrganizationRole
User Cluster Developer user-cluster-developer False Organization OrganizationRole
User Node Viewer user-cluster-node-viewer False Organization OrganizationRole

PA persona, predefined identity, and access roles

PA persona
Name Binding type Admin cluster permissions User cluster permissions Escalates to
Organization IAM Admin

ClusterRoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, OrganizationClusterRole, ProjectRoleBinding, and OrganizationClusterRoleBinding: Create, read, update, and delete
  • List project namespace
N/A Project IAM Admin and all other PA roles
Bucket Admin ClusterRoleBinding Bucket and objects: Read and write N/A N/A
Bucket Object Admin ClusterRoleBinding
  • Bucket: Read
  • Objects: Read and write
N/A N/A
Bucket Object Viewer ClusterRoleBinding Bucket and objects: Read N/A N/A
GDCH Restrict By Attributes Policy Admin ClusterRoleBinding GDCH restricted attributes policies: Create, edit, and delete N/A N/A
GDCH Restricted Service Policy Manager ClusterRoleBinding GDCH restricted service policies: Create, edit, and delete N/A N/A
IdP Federation Admin RoleBinding Identity provider configs and secrets: Create, read, update, patch, and delete N/A N/A
Marketplace Service Editor ClusterRoleBinding
  • Marketplace services: Read, update, and delete
  • Cluster information: Read
N/A N/A
Org Session Admin RoleBinding Istio authorization resource: Create, read, update, and delete N/A N/A
Organization Grafana Viewer RoleBinding GrafanaSystem and Grafana: Read and write N/A N/A
Organization IAM Viewer
ClusterRoleBinding
  • Role-based access control (RBAC) objects: Read
  • OrganizationClusterRole and OrganizationClusterRoleBinding: Read
N/A N/A
Organization DB Admin ClusterRoleBinding
  • Secrets, database versions, flags, maintenance policies, and software libraries: Read
  • Backup plans and database clusters: Create, read, update, and delete
  • Imports and restores: Create, read, and delete
N/A N/A
Organization Upgrade Admin ClusterRoleBinding Maintenance windows: Get, list, watch, update, and patch N/A N/A
Organization Upgrade Viewer ClusterRoleBinding Maintenance windows: Get, list, and watch N/A N/A
Project Creator ClusterRoleBinding
  • Project custom resources (CR): Read and create
  • Fleet CR: Read and create
  • Clusters: Read
N/A N/A
Project Editor ClusterRoleBinding
  • Project custom resources (CR): Read, delete, patch, update, and view
  • Fleet CR: Read and delete
  • Cluster CR: Read
N/A N/A
Transfer Appliance Request Creator ClusterRoleBinding TransferApplianceRequest custom resource (CR): Read and create N/A N/A
User Cluster Admin ClusterRoleBinding
  • AddressPoolClaims: Create, read, update, and delete
  • UserClusterUpgrade: Read and write
  • UserClusterMetadata, ClusterBgpRouters, InventoryMachines, and project custom resources (CR): Read
  • CidrClaims: Create, read, update, and delete
  • Namespace: Create and delete
  • ClusterCidrConfigs and clusters: Create, read, update, patch, and delete
  • NodeUpgrades: Read, create, patch, and update
  • HarborClusters, Projects, UserClusterUpgradeRequests: Read
  • Clusters and NodePoolClaims: Read and write
  • NodePools, MachineClasses, VirtualMachineTypes, and ClusterInfos: Read
N/A
User Cluster Backup Admin OrganizationRoleBinding N/A
  • Manual backup and restore requests, delete backup requests, restores, and backup repositories: Create, read, delete, update, and patch
  • Backup and restore plans: Create, read, and delete
  • Backups, volume backups, and volume restores: Read
  • ClusterInfo and namespaces: Read
N/A
User Cluster Developer OrganizationRoleBinding N/A Clusters: Read and write N/A
User Cluster Node Viewer OrganizationRoleBinding N/A Clusters: Read N/A

AO Persona, predefined identity and access roles

AO persona
Name Kubernetes resource name Initial admin Level Type
Project IAM Admin project-iam-admin True Project Role
Artifact Management Admin artifact-management-admin False Project Role
Artifact Management Editor artifact-management-editor False Project Role
Dashboard Editor dashboard-editor False Project Role
Dashboard Viewer dashboard-viewer False Project Role
Harbor Instance Admin harbor-instance-admin False Project Role
Harbor Instance Viewer harbor-instance-viewer False Project Role
Kubernetes Network Policy Admin k8s-networkpolicy-admin False Project ProjectRole
Marketplace Editor marketplace-editor False Project Role
MonitoringRule Editor monitoringrule-editor False Project Role
MonitoringRule Viewer monitoringrule-viewer False Project Role
MonitoringTarget Editor monitoringtarget-editor False Project Role
MonitoringTarget Viewer monitoringtarget-viewer False Project Role
Namespace Admin namespace-admin False Project ProjectRole
ObservabilityPipeline Editor observabilitypipeline-editor False Project Role
ObservabilityPipeline Viewer observabilitypipeline-viewer False Project Role
Project Bucket Admin project-bucket-admin False Project Role
Project Bucket Object Admin project-bucket-object-admin False Project Role
Project Bucket Object Viewer project-bucket-object-viewer False Project Role
Project Cortex Alertmanager Viewer project-cortex-alertmanager-viewer False Project Role
Project Cortex Prometheus Viewer project-cortex-prometheus-viewer False Project Role
Project Grafana Viewer project-grafana-viewer False Project Role
Project Network Policy Admin project-networkpolicy-admin False Project Role
Project Viewer project-viewer False Project Role
Project VirtualMachine Admin project-vm-admin False Project Role
Project VirtualMachine Image Admin project-vm-image-admin False Project Role
Secret Admin secret-admin False Project Role
Secret Viewer secret-viewer False Project Role

AO persona, predefined identity, and access roles

AO persona
Name Binding type Admin cluster permissions User cluster permissions Escalates to
Project IAM Admin RoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
N/A All other AO roles
Artifact Management Admin RoleBinding HarborProjects: Admin, create, read, write, delete, and view N/A N/A
Artifact Management Editor RoleBinding HarborProjects: Read, write, and view N/A N/A
Dashboard Editor RoleBinding Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
Dashboard Viewer RoleBinding Dashboard: Get and read N/A N/A
Harbor Instance Admin RoleBinding Harbor instances: Create, read, update, delete, and patch N/A N/A
Harbor Instance Viewer RoleBinding Harbor instances: Read N/A N/A
Kubernetes Network Policy Admin ProjectRoleBinding N/A Kubernetes network policies: Read and write in the user cluster N/A
Marketplace Editor RoleBinding N/A Service instances: Create, update, and delete N/A
MonitoringRule Editor RoleBinding MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringRule Viewer RoleBinding MonitoringRule custom resources: Read N/A N/A
MonitoringTarget Editor RoleBinding MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringTarget Viewer RoleBinding MonitoringTarget custom resources: Read N/A N/A
Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace, excluding the system cluster N/A
ObservabilityPipeline Editor RoleBinding ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
ObservabilityPipeline Viewer RoleBinding ObservabilityPipeline resources: Get and read N/A N/A
Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin RoleBinding
  • Bucket: Read
  • Objects: Read and write
N/A N/A
Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
Project Cortex Alertmanager Viewer RoleBinding Cortex system and Cortex Alertmanager: Read N/A N/A
Project Cortex Prometheus Viewer RoleBinding Cortex system and Cortex Prometheus: Read N/A N/A
Project Grafana Viewer RoleBinding Grafana system and Grafana: Read and write N/A N/A
Project Network Policy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin RoleBinding
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
N/A N/A
Project VirtualMachine Image Admin RoleBinding
  • VM images: Read
  • VM image imports: Read and write
N/A N/A
Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level Type
AIS Monitor ais-monitor False Organization Role
AIS Debugger ais-debugger False Organization Role
DNS Key Manager dns-key-manager False Organization Role
DNS Suffix Viewer dnssuffix-viewer False Organization Role
IAM Debugger iam-debugger False Organization
  • Role
  • ClusterRole
IAM Monitor iam-monitor False Organization
  • Role
  • ClusterRole
Marketplace Service Viewer marketplace-service-viewer False Project ClusterRole
Marketplace Viewer marketplace-viewer False Project ClusterRole
Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
Public Image Viewer public-image-viewer False Organization Role
Virtual Machine Type Viewer virtualmachinetype-viewer False Organization OrganizationRole
VM Type Viewer vmtype-viewer False Organization Role

Common predefined identity and access roles

Common roles
Name Binding type Admin cluster permissions User cluster permissions Escalates to
AIS Monitor RoleBinding GKE Identity Service resources: Read N/A N/A
AIS Debugger RoleBinding GKE Identity Service resources: Create, read, update, delete, and patch N/A N/A
DNS Key Manager RoleBinding Secrets and configmaps: Create, read, update, delete, and patch N/A N/A
DNS Suffix Viewer ClusterRoleBinding DNS suffix config maps: Read N/A N/A
IAM Debugger RoleBinding
Role:
  • IAM resources in iam-system namespace: Create, read, update, delete, and patch
ClusterRole:
  • Identity provider configs, client configs, roles, cluster roles, organization roles, project roles, organization role bindings, project role bindings: Create, read, update, delete, and patch
N/A N/A
IAM Monitor RoleBinding
Role:
  • IAM resources in iam-system namespace: Read
ClusterRole:
  • Identity provider configs, client configs, IoAuthMethods, cluster role templates, role templates, role templates, project role templates, organization role templates, role bindings, roles, cluster role bindings, cluster roles, organization roles, project roles, organization role bindings, project role bindings: Read
N/A N/A
Marketplace Service Viewer ClusterRoleBinding Marketplace services: Read N/A N/A
Marketplace Viewer ClusterRoleBinding Service versions and service instances: Read N/A N/A
Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
Public Image Viewer RoleBinding VM images: Read N/A N/A
System Project VirtualMachine Admin RoleBinding
  • VMs, VM disks, VM access requests, and VM external access: Create, get, read, update, delete, and patch
  • VM backup templates, VM backup requests, VM restore requests, and VM delete backup requests: Create, read, and delete
  • VM backup plans, VM restores: Get, read, and delete
  • VM backups and VM images: Get and read
  • VM restart: Update
N/A N/A
Virtual Machine Type Viewer OrganizationRoleBinding N/A VM types: Read N/A
VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A