1. Manage Accounts and Access
  2. Control Access

Role-Based Access Control


This feature is currently in Private Preview. In order to use this feature your Pulsar Clusters must be on the rapid channel and be on version or greater. Contact StreamNative for it to be enabled.


Role-based access control allows you to control what level of access users have to your organization's resources, such as Pulsar clusters, tenants, and service accounts.


Organization Admin

Organization Admins have full control over everything in their organization. Users granted the Organization Admin role have the following capabilities:

  • Viewing and managing billing details
  • Viewing and managing secrets
  • Inviting users to your organization, deleting users, and modifying their roles.
  • Managing Pulsar Instances and Pulsar Clusters, including deleting Pulsar clusters.

Read Only

The read only role allows users to read information from the StreamNative Console, but disallows the modification or deletion of any resources. Users with the Read Only role have the following capabilities:

  • Peek at topics.
  • View clusters, tenants, and namespaces.
  • View users.
  • View functions and connectors.

Tenant Admin

The Tenant Admin role grants full administrative capabilities over a specific tenant. Tenant Admins have the following capabilities:

  • Create, modify, and delete namespaces within your tenant.

Basic Role

The Basic Role is the default role assigned to all users when they are invited to an organization. It cannot be removed from any user - if you need to reduce permissions further beyond this, you must delete a user from your organization. The Basic Role only allows a user to log into the console and view an organization's instances. To access additional details in the console, you must assign users additional roles.

Inviting Users

To invite a user, go to the users page, and click on the "Invite User" button. This will open up a modal where you can enter in a user's email.

tenant admin

You must first enter a valid email in order to assign them a role. If the user is already in your organization, you cannot invite them again; you must instead modify their role.

To assign a user Tenant Admin capabilities, you must select the tenant(s) you want to give the user by clicking the + button, and selecting the tenants you want the user to administer.

tenant admin

Modifying Roles

You must be an Organization Admin to modify roles.

To modify a user's roles, go to the users page, and click on the ellipses menu (...), and click Edit Roles. This opens up the Edit Role menu, where roles can be added by clicking the checkbox next to a role.

Best Practices

  • We recommend limiting the number of Organization Admins in your Organization as much as possible.
  • As a default, we recommend giving most users the read only role.


Currently, StreamNative RBAC does not support role assignment via snctl.

Can roles be combined? Yes - roles can be combined by assigning a user multiple roles within the invite / edit user modal.

Authorization and ACL