Roles and Permissions
The table below illustrates the permissions of roles which can manipulate organizations and their membership.
| Action | Organization Owner | Organization Member |
|---|---|---|
| Add Organization Owner | x | |
| Add Organization Member | x | |
| View Organization Members | x | x |
The table below illustrates the permissions of roles which can manipulate groups and their membership.
| Action | Organization Owner | Group Owner | Group Member |
|---|---|---|---|
| Create Group | x | ||
| Update Group | x | ||
| Delete Group | x | ||
| Add Group Owner | x | x | |
| Remove Group Owner | x | x | |
| View Group Owners | x | x | x |
| Add Group Member | x | x | |
| Remove Group Member | x | x | |
| View Group Members | x | x | x |
The table below shows group roles and their ability to manipulate group and user scoped resources such as secrets, storage volumes, and compute resource definitions.
| Resource | Action | Group Owner | Group Member |
|---|---|---|---|
| Group Scoped Resource | Create | x | |
| Update | x | ||
| Delete | x | ||
| Access | x | x | |
| User Scoped Resources | Create | x | x |
| Update | x | x | |
| Delete | x | x | |
| Access | x | x |
In the next section, we will walk through an example which ties the concepts of organizations, groups, and users together.
Node provisioners can be created and managed at different scopes within the organization hierarchy. The table below shows the permissions for node provisioner management.
| Action | Organization Owner | Group Owner | Group Member |
|---|---|---|---|
| Create Node Provisioner | x | x | |
| Update Node Provisioner | x | x | |
| Delete Node Provisioner | x | x | |
| View Node Provisioners | x | x | x |
Organization-scoped node provisioners can be created and managed by organization owners. These node provisioners are available to all groups and users within the organization.
Group-scoped node provisioners can be created and managed by group owners. These node provisioners are available to members of that specific group, providing more granular control over which compute resources are accessible to different teams.
This hierarchical permission model allows administrators to delegate node provisioner management responsibilities while maintaining appropriate access controls across the organization.