Role definitions

Role types

Consider the following key differences between the different role types when you assign roles:

  • ClusterRole: a Kubernetes RBAC role at the cluster scope in admin or user clusters.
  • Role: a Kubernetes RBAC role at the namespace scope in admin or user clusters.
  • ProjectRole: a custom resource definition (CRD) with permission defined and is bound to user clusters and namespaces. Project roles propagate to user clusters as a Role.
  • ProjectClusterRole: a CRD with permission defined, that propagates to all user clusters as a ClusterRole there.

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or OrganizationRole.
  • Binding type: The type of binding that you must apply to this role.
  • Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

Predefined identity and access roles tables for PA and AO

The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:

PA Persona, predefined identity and access roles

PA persona
Name Kubernetes resource name Initial admin Level Type
Organization IAM Admin organization-iam-admin True Organization ClusterRole
AI Platform Admin ai-platform-admin False Organization ClusterRole
Backup Repository Admin backup-repository-admin False Organization ClusterRole
Billing Viewer billing-viewer False Organization ClusterRole
Bucket Admin bucket-admin False Organization ClusterRole
Bucket Object Admin bucket-object-admin False Organization ClusterRole
Bucket Object Viewer bucket-object-viewer False Organization ClusterRole
DR Backup Admin dr-backup-admin False Organization ClusterRole
DR System Admin dr-system-admin False Organization Role
Flow Log Admin flowlog-admin False Organization ClusterRole
Flow Log Viewer flowlog-viewer False Organization ClusterRole
GDCH Restrict By Attributes Policy Admin gdchrestrictbyattributes-policy-admin False Organization ClusterRole
GDCH Restricted Service Policy Admin gdchrestrictedservice-policy-admin False Organization ClusterRole
IdP Federation Admin idp-federation-admin False Organization Role
KMS Rotation Job Admin kms-rotationjob-admin False Organization ClusterRole
Log Querier log-query-api-querier False Project Role
Marketplace Service Editor marketplace-service-editor False Organization ClusterRole
Org Network Policy Admin org-network-policy-admin False Organization Role
Organization Backup Admin organization-backup-admin False Organization ClusterRole
Organization IAM Viewer organization-iam-viewer False Organization ClusterRole
Organization DB Admin organization-db-admin False Organization ClusterRole
Organization Upgrade Admin organization-upgrade-admin False Organization ClusterRole
Organization Upgrade Viewer organization-upgrade-viewer False Organization ClusterRole
Project Creator project-creator False Organization ClusterRole
Project Editor project-editor False Organization ClusterRole
SIEM Export Org Creator siemexport-org-creator False Project Role
SIEM Export Org Editor siemexport-org-editor False Project Role
SIEM Export Org Viewer siemexport-org-viewer False Project Role
System Cluster Backup Repository Admin system-cluster-backup-repository-admin False Organization OrganizationRole
Transfer Appliance Request Creator transfer-appliance-request-creator False Organization ClusterRole
User Cluster Admin user-cluster-admin False Organization ClusterRole
User Cluster Backup Admin user-cluster-backup-admin False Organization OrganizationRole
User Cluster Developer user-cluster-developer False Organization OrganizationRole
User Cluster Node Viewer user-node-viewer False Organization OrganizationRole

PA persona
Name Binding type Org admin cluster permissions User cluster permissions Escalates to
Organization IAM Admin

  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, OrganizationClusterRole, ProjectRoleBinding, and OrganizationClusterRoleBinding: Create, read, update, and delete
  • List project namespace
N/A Project IAM Admin and all other PA roles
AI Platform Admin RoleBinding AI platform user interface (UI): Read and write N/A N/A
Backup Repository Admin ClusterRoleBinding
  • Backup repositories: Create, read, and delete
  • Cluster information: Read
Billing Viewer ClusterRoleBinding SKU descriptions, machine inventory, fleets, invoices, and configs: Read N/A N/A
Bucket Admin ClusterRoleBinding Bucket and objects: Read and write N/A N/A
Bucket Object Admin ClusterRoleBinding
  • Bucket: Read
  • Objects: Read and write
Bucket Object Viewer ClusterRoleBinding Bucket and objects: Read N/A N/A
DR Backup Admin ClusterRoleBinding
  • BackupRepositories and BackupPlans resources: Read, create, patch, and delete
  • Backups, ManualBackupRequests, and ServiceEntries resources: Read
DR System Admin RoleBinding Secrets, buckets, roles, rolebindings, and service accounts: Read and write N/A N/A
Flow Log Admin ClusterRoleBinding Flow log resources: Read and write N/A N/A
Flow Log Viewer ClusterRoleBinding Flow log resources: Read N/A N/A
GDCH Restrict By Attributes Policy Admin ClusterRoleBinding GDCH restricted attributes policies: Create, edit, and delete N/A N/A
GDCH Restricted Service Policy Admin ClusterRoleBinding GDCH restricted service policies: Create, edit, and delete N/A N/A
IdP Federation Admin RoleBinding Identity provider configs and secrets: Create, read, update, patch, and delete N/A N/A
KMS Rotation Job Admin ClusterRoleBinding RotationJob resources: Create, read, update, patch, and delete N/A N/A
Log Querier RoleBinding Log Query API project logs: Read N/A N/A
Marketplace Service Editor ClusterRoleBinding
  • Marketplace services: Read, update, and delete
  • Cluster information: Read
Org Network Policy Admin RoleBinding OrganizationNetworkPolicy in platform namespace: Create, read, update, and delete N/A N/A
Organization Backup Admin ClusterRoleBinding
  • BackupRepositoryManagers, backup plans, manual backup requests, delete backup requests, backup repositories, VM backup templates, VM backup requests, VM restore requests, and VM delete backup requests: Create, read, and delete
  • Secrets: Create
  • Volume backups and cluster infos: Read
  • VM backup plans, VM backups, VM restores: Read and delete
Organization IAM Viewer
  • Role-based access control (RBAC) objects: Read
  • OrganizationClusterRole and OrganizationClusterRoleBinding: Read
Organization DB Admin ClusterRoleBinding
  • Secrets, database versions, flags, maintenance policies, software libraries, database project properties: Read
  • Backup plans and database clusters: Create, read, update, and delete
  • Imports, restores, and failovers: Create, read, and delete
  • Migrations and external servers: Create, read, update, delete, and patch
Organization Upgrade Admin ClusterRoleBinding Maintenance windows: Get, list, watch, update, and patch N/A N/A
Organization Upgrade Viewer ClusterRoleBinding Maintenance windows: Get, list, and watch N/A N/A
Project Creator ClusterRoleBinding
  • Project custom resources (CR): Read and create
  • Fleet CR: Read and create
  • Clusters: Read
  • ATAT portfolio secret: Read, view, and update
Project Editor ClusterRoleBinding
  • Project custom resources (CR): Read, delete, patch, update, and view
  • Fleet CR: Read and delete
  • Cluster CR: Read
SIEM Export Org Creator RoleBinding SIEMOrgForwarder custom resources and secrets: Get, create, and read N/A N/A
SIEM Export Org Editor RoleBinding SIEMOrgForwarder custom resources and secrets: Get, read, update, delete, and patch N/A N/A
SIEM Export Org Viewer RoleBinding SIEMOrgForwarder custom resources and secrets: Read N/A N/A
System Cluster Backup Repository Admin OrganizationRoleBinding Backup repositories: Get, read, create, and delete N/A N/A
Transfer Appliance Request Creator ClusterRoleBinding TransferApplianceRequest custom resource (CR): Read and create N/A N/A
User Cluster Admin ClusterRoleBinding
  • AddressPoolClaims: Create, read, update, and delete
  • UserClusterUpgrade: Read and write
  • UserClusterMetadata, ClusterBgpRouters, InventoryMachines, and project custom resources (CR): Read
  • CidrClaims: Create, read, update, and delete
  • Namespace: Create and delete
  • ClusterCidrConfigs and clusters: Create, read, update, patch, and delete
  • NodeUpgrades: Create, read, patch, and update
  • Clusters and NodePoolClaims: Read and write
  • NodePools, MachineClasses, VirtualMachineTypes, and ClusterInfos: Read
User Cluster Backup Admin OrganizationRoleBinding N/A
  • Backup and restore plans, manual backup and restore requests, delete backup requests, restores, and backup repositories: Create, read, delete, update, and patch
  • Backups, volume backups, and volume restores: Read
  • ClusterInfo and namespaces: Read
User Cluster Developer OrganizationRoleBinding N/A Clusters: Read and write N/A
User Cluster Node Viewer OrganizationRoleBinding N/A Clusters: Read N/A

AO Persona, predefined identity and access roles

AO persona
Name Kubernetes resource name Initial admin Level Type
Project IAM Admin project-iam-admin True Project Role
AI OCR Developer ai-ocr-developer False Project Role
AI Platform Viewer ai-platform-viewer False Project Role
AI Speech Developer ai-speech-developer False Project Role
AI Translation Developer ai-translation-developer False Project Role
Artifact Management Admin artifact-management-admin False Project Role
Artifact Management Editor artifact-management-editor False Project Role
Backup Creator backup-creator False Project ProjectRole
Dashboard Editor dashboard-editor False Project Role
Dashboard Viewer dashboard-viewer False Project Role
K8s NetworkPolicy Admin k8s-networkpolicy-admin False Project ProjectRole
KMS Admin kms-admin False Project Role
KMS Creator kms-creator False Project Role
KMS Developer kms-developer False Project Role
KMS Key Export Admin kms-keyexport-admin False Project Role
KMS Key Import Admin kms-keyimport-admin False Project Role
KMS Viewer kms-viewer False Project Role
Marketplace Editor marketplace-editor False Project Role
MonitoringRule Editor monitoringrule-editor False Project Role
MonitoringRule Viewer monitoringrule-viewer False Project Role
MonitoringTarget Editor monitoringtarget-editor False Project Role
MonitoringTarget Viewer monitoringtarget-viewer False Project Role
Namespace Admin namespace-admin False Project ProjectRole
NAT Viewer nat-viewer False Project ProjectRole
ObservabilityPipeline Editor observabilitypipeline-editor False Project Role
ObservabilityPipeline Viewer observabilitypipeline-viewer False Project Role
Project Bucket Admin project-bucket-admin False Project Role
Project Bucket Object Admin project-bucket-object-admin False Project Role
Project Bucket Object Viewer project-bucket-object-viewer False Project Role
Project NetworkPolicy Admin project-networkpolicy-admin False Project Role
Project DB Admin project-db-admin False Project Role
Project DB Editor project-db-editor False Project Role
Project DB Viewer project-db-viewer False Project Role
Project Viewer project-viewer False Project Role
Project VirtualMachine Admin project-vm-admin False Project Role
Project VirtualMachine Image Admin project-vm-image-admin False Project Role
Secret Admin secret-admin False Project Role
Secret Viewer secret-viewer False Project Role
Service Configuration Admin service-configuration-admin False Project Role
Service Configuration Viewer service-configuration-viewer False Project Role
Workbench Notebooks Admin workbench-notebooks-admin False Project Role
Workbench Notebooks Viewer workbench-notebooks-viewer False Project Role

AO persona
Name Binding type Org admin cluster permissions User cluster permissions Escalates to
Project IAM Admin RoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
N/A All other AO roles
AI OCR Developer RoleBinding OCR resources: Read and write N/A N/A
AI Speech Developer RoleBinding Speech resources: Read and write N/A N/A
AI Translation Developer RoleBinding Translation resources: Read and write N/A N/A
Backup Creator ProjectRoleBinding N/A
  • Manual backups and restores: Create, read, and delete
  • Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
Dashboard Editor RoleBinding Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
Dashboard Viewer RoleBinding Dashboard: Get and read N/A N/A
K8s NetworkPolicy Admin ProjectRoleBinding NetworkPolicy resources: Create, read, get, update, delete, and patch N/A N/A
KMS Admin RoleBinding
  • AEADKey: Create, read, update, delete, patch, encrypt, and decrypt
  • SigningKey: Create, read, update, delete, patch, and sign
  • KeyImport and KeyExport: Read
KMS Creator RoleBinding AEADKey and SigningKey: Create and read N/A N/A
KMS Developer RoleBinding
  • AEADKey in the project namespace: Read, encrypt, and decrypt
  • SigningKey in the project namespace: Read and sign
KMS Key Export Admin RoleBinding KeyExport resource: Create, read, update, patch, and delete N/A N/A
KMS Key Import Admin RoleBinding KeyImport resource: Create, read, update, patch, and delete N/A N/A
KMS Viewer RoleBinding AEADKey, SigningKey, KeyImport, KeyExport: Read N/A N/A
Kubernetes Network Policy Admin ProjectRoleBinding N/A Kubernetes network policies: Read and write in the user cluster N/A
Marketplace Editor RoleBinding N/A Service instances: Create, update, and delete N/A
MonitoringRule Editor RoleBinding MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringRule Viewer RoleBinding MonitoringRule custom resources: Read N/A N/A
MonitoringTarget Editor RoleBinding MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringTarget Viewer RoleBinding MonitoringTarget custom resources: Read N/A N/A
Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace, excluding the system cluster N/A
NAT Viewer ProjectRoleBinding N/A Deployments: Get and read N/A
ObservabilityPipeline Editor RoleBinding ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
ObservabilityPipeline Viewer RoleBinding ObservabilityPipeline resources: Get and read N/A N/A
Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin RoleBinding
  • Bucket: Read
  • Objects: Read and write
Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
Project NetworkPolicy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
Project DB Admin RoleBinding
  • Database versions, flags, maintenance policies, software libraries, and database project properties: Read
  • Backup plans and database clusters: Create, read, update, and delete
  • Imports, exports, and restores: Create, read, and delete
  • Secrets: Create, delete, and update
  • Migrations and external servers: Create, read, update, delete, and patch
Project DB Editor RoleBinding
  • Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
  • Imports: Create, read, and delete
  • Database clusters: Read and update
  • Secrets: Create and delete
Project DB Viewer RoleBinding Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read N/A N/A
Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin RoleBinding
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
Project VirtualMachine Image Admin RoleBinding
  • VM images: Read
  • VM image imports: Read and write
Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A
Service Configuration Admin RoleBinding ServiceConfigurations: Read and write N/A N/A
Service Configuration Viewer RoleBinding ServiceConfigurations: Read N/A N/A
Workbench Notebooks Admin RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
  • ClusterInfo objects: Read
Workbench Notebooks Viewer RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Read

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level Type
AI Platform Viewer ai-platform-viewer False Project Role
DB UI Viewer db-ui-viewer False Project ClusterRole
DB Options Viewer db-options-viewer False Project ClusterRole
DNS Suffix Viewer dnssuffix-viewer False Organization Role
Flow Log Admin flowlog-admin False Organization ClusterRole
Flow Log Viewer flowlog-viewer False Project ClusterRole
Marketplace Service Viewer marketplace-service-viewer False Project ClusterRole
Marketplace Viewer marketplace-viewer False Project ClusterRole
Pricing Calculator User pricingcalculator-user False Project ClusterRole
Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
Public Image Viewer public-image-viewer False Organization Role
Virtual Machine Type Viewer virtualmachinetype-viewer True Organization OrganizationRole
VM Type Viewer vmtype-viewer False Organization Role

Common roles
Name Binding type Admin cluster permissions User cluster permissions Escalates to
AI Platform Viewer RoleBinding Pre-trained services: Read N/A N/A
DB Options Viewer ClusterRoleBinding DBS configurations: Read N/A N/A
DB UI Viewer ClusterRoleBinding DBS UI configurations: Read N/A N/A
DNS Suffix Viewer RoleBinding DNS suffix config maps: Read N/A N/A
Flow Log Admin ClusterRoleBinding Flow log resources: Get and read Flow log resources: Get and read N/A
Flow Log Viewer ClusterRoleBinding Flow log resources: Create, get, read, patch, update, and delete Flow log resources: Create, get, read, patch, update, and delete N/A
Marketplace Service Viewer ClusterRoleBinding Marketplace services: Read N/A N/A
Marketplace Viewer ClusterRoleBinding Service versions and service instances: Read N/A N/A
Pricing Calculator User ClusterRoleBinding N/A SkuDescriptions: Read N/A
Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
Public Image Viewer RoleBinding VM images: Read N/A N/A
VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A