Skip to main content


Roles are assigned to people in your organization. Access control is driven based on these roles. Paralus comes with a set of pre defined roles. It also allows you to create new roles with the permissions you want.

In this document, we help you understand how you can create and manage roles.

Types Of Roles

Organization AdminA privileged, super user type role with access to everything in the Org. This user can view, manage projects, clusters, users, groups, roles, role associations and namespaces.
Org Admin Read OnlyA privileged role has only Read access to workloads, namespaces, certificates, secret stores, registries, aggregation endpoints, clusters, add-ons, and blueprints
Project AdminA privileged role allowed to manage all workload resources in a Project. Specifically, they have Read + Write access to workloads, certificates, registries, secret stores, and aggregation endpoints
Project Read OnlyA Read Only version of the Project Admin role
Cluster AdminA privileged role allowed to build clusters in a Project. Specifically, Cluster Admins has read only infrastructure access + Cluster CRUD (Create, Read, Update, and Delete) operations
Namespace AdminA role allowed to view only the user specified namespaces, and policy violations, but not allowed to create a new namespace. Allowed to perform end-to-end (create, publish/unpublish, edit, delete) actions on workloads with the user selected namespace(s). Specifically, they can view only the Resources that are associated with the selected namespace(s)
Namespace Read OnlyA Read Only version of the Namespace Admin role

Note: A user can be associated with multiple roles at the same time. In such a scenario, the union of the permissions associated with both roles is applied.

Typical hierarchy of roles in an organization.

Determine Roles

As An End User

Authorized users in an organization can determine their exact role and profile in the web conosle by following the below mentioned steps:

  • Login to the console

  • Click on your name/email address on the top right

  • Select Profile from the drop-down menu

    Checking your permission as an end user

As An Organization Admin

Organization admins can determine a users's role be following the below mentioned steps:

  • Login to the console
  • Navigate to System -> Users
  • Search for the specific user
  • View current role assignment

Managing Roles

Assignment and management of roles for users in the organization can be done only by an Organization admins. All the changes to roles are logged and can be found in the Audit Logs.

Roles can be assigned to users in one of the two following ways:

  • By Group (Associate role to a specific group, add/remove users to the group)
  • Per User (Associate role to a specific user)

Manage By Group

This is the preferred way to manage roles when you have a large number of users that need similar roles. For example, if you have a team of developers, you can create a group called Developers, define the permissions and add users to the group. Even when you have a new developer joining the team, you would just need to add that user to this group.

Read more about groups.

Manage Role Per User

There might be situations where you want to assign a role to a specific user. In such cases you can you can follow the below mentioned steps:

  • Login to the console as an Organzation Admin

  • Navigate to System -> Users

    Listing all users
  • Select the desired user

  • Navigate to the Projects Tab

  • Click Assign User To Project button

  • Select a project from the drop down

  • Assign Role(s), click Save & Exit

    Assigning Roles to a User

Creating Roles

As an organization admin, you can also create a role by choosing the permissions you need. Follow the steps to create a custom role:

  • Login to the console as an Organization Admin

  • Navigate to System -> Roles

    Listing all the roles
  • Click on New Role

  • Give a new for the new role & click Create

    Adding a New Role
  • On the next screen, choose the permissions that you want to assign to the role. Select the permissions from the left pane and add them to the right pane.

    Choosing permissions for the new role
  • Click Save to create the new role

Editing Roles

To edit an already created role, login as an organization admin and follow the below steps:

  • Login to the console as an Organization Admin
  • Navigate to System -> Roles
  • Click Edit on the role you wish to edit
  • Add/Remove the permissions
  • Save and exit

Deleting Roles

To delete an already created role, login as an organization admin and follow the below steps:

  • Login to the console as an Organization Admin
  • Navigate to System -> Roles
  • Click Delete on the role you wish to delete

Permissions List

Below is the list of permissions that you can choose to assign and create a role.

cluster.readRead cluster information & download cluster bootstrap
cluster.writeCreate, Manage and Delete clusters
console.allView console and Manage user access
group.readView group information and associations
group.writeManage group and its associations
hub.openapi.explorer.readView openapi-explorer
location.readView locations
location.writeCreate, Manage & Delete locations
oidc.readView OIDC configuration.
oidc.writeCreate, Manage and Delete OIDC configuration
ops_star.allProvides complete access - the super admin
organization.readView organization information
organization.writeManage organization information
partner.readView partner information
project.admin.writeUpdate project associtation with user-role and group-roles
project.readView project information
project.writeCreate, manage and delete project information
role.readView roles
role.writeCreate, Manage and Delete roles
rolepermission.readView role permissions
ssouser.readView SSO users information
ssouser.writeCreate, Manage and Delete SSO users information
template.readView templates
user.readView users information
user.writeCreate, Manage and Delete users
audit.readRead system audit logs
kubeconfig.readView all kubeconfig information
kubeconfig.writeCreate, Manage and revoke kubeconfig settings at user, organization level
kubectl.clustersettings.readView kubectl settings at cluster level
kubectl.clustersettings.writeUpdate kubectl settings at cluster level
org.auditLog.readView system audit logs
org.relayAudit.readView kubectl audit logs
project.auditLog.readView project system audit information
project.audit.readView project kubectl audit information
project.relayAudit.readView project kubectl audit log information
v2debug.readread web kubectl

Read more about features of Paralus.


We are a Cloud Native Computing Foundation sandbox project.