Learn how to set up and manage Role-Based Access Control (RBAC).


Go back to our Enterprise landing page if you do not have a key. Before setting up a Role-Based access control to Pachyderm resources, verify that:

  • the User Access Management feature is on by running pachctl auth whoami. The command should return You are "pach:root" (i.e., your are the Root User with clusterAdmin privileges). Run pachctl auth use-auth-token to login as a Root User.
  • your IdP connector is set.

Pachyderm authorization feature follows a Role Based Access Control model (RBAC). The access control is based on Roles assigned to Users, granting them a set of permissions on Pachyderm’s Resources (Role Bindings).

In this page we will introduce Pachyderm’s various Type of Users, resources, and Roles.

This preamble will set the contextual knowledge to better understand how to:

in the next Role Binding page.

Users Types #

Pachyderm defines 5 type of User:

Resources #

Pachyderm has 2 types of resources: Repositories: repo, Clusters: cluster.

Roles #

Pachyderm has a number of predefined roles granting permissions to its Resources. Those Roles are listed here in no specific hierarchical order. Some might inherit a set of permissions from another.

Repo Roles #

These roles can be granted at the repo level or at the cluster level - if a user is granted a role at the cluster level, it applies to all repos, including any new repos that are created after the grant.

Cluster Roles #

These roles are only applicable at the cluster level. clusterAdmin is a catch-all role which allows a user to perform any operation on the cluster, while the others allow delegation of specific privileges depending on a users needs.


Activating auth (pachctl auth activate) creates a Root User with irrevocable clusterAdmin rights. This Role must be set at the cluster level only.