- Control Access
Role-Based Access Control
Note
This feature is currently in Private Preview. In order to use this feature your Pulsar Clusters must be on the rapid channel and be on version 3.1.2.1 or greater. Contact StreamNative for it to be enabled.
Overview
Role-based access control allows you to control what level of access users have to your organization's resources, such as Pulsar clusters, tenants, and service accounts.
Roles
Organization Admin
Organization Admins have full control over everything in their organization. Users granted the Organization Admin role have the following capabilities:
- Viewing and managing billing details
- Viewing and managing secrets
- Inviting users to your organization, deleting users, and modifying their roles.
- Managing Pulsar Instances and Pulsar Clusters, including deleting Pulsar clusters.
Read Only
The read only role allows users to read information from the StreamNative Console, but disallows the modification or deletion of any resources. Users with the Read Only role have the following capabilities:
- Peek at topics.
- View clusters, tenants, and namespaces.
- View users.
- View functions and connectors.
Tenant Admin
The Tenant Admin role grants full administrative capabilities over a specific tenant. Tenant Admins have the following capabilities:
- Create, modify, and delete namespaces within your tenant.
Basic Role
The Basic Role is the default role assigned to all users when they are invited to an organization. It cannot be removed from any user - if you need to reduce permissions further beyond this, you must delete a user from your organization. The Basic Role only allows a user to log into the console and view an organization's instances. To access additional details in the console, you must assign users additional roles.
Inviting Users
To invite a user, go to the users page, and click on the "Invite User" button. This will open up a modal where you can enter in a user's email.
You must first enter a valid email in order to assign them a role. If the user is already in your organization, you cannot invite them again; you must instead modify their role.
To assign a user Tenant Admin capabilities, you must select the tenant(s) you want to give the user by clicking the +
button, and selecting the tenants you want the user to administer.
Modifying Roles
You must be an Organization Admin to modify roles.
To modify a user's roles, go to the users page, and click on the ellipses menu (...
), and click Edit Roles. This opens up the Edit Role menu, where roles can be added by clicking the checkbox next to a role.
Best Practices
- We recommend limiting the number of Organization Admins in your Organization as much as possible.
- As a default, we recommend giving most users the read only role.
Limitations
Currently, StreamNative RBAC does not support role assignment via snctl
.
Can roles be combined? Yes - roles can be combined by assigning a user multiple roles within the invite / edit user modal.