Manage RBAC via Console
Before You Start #
- You must have an active Enterprise key
- You must have TLS enabled on your cluster
- You must have an Authentication Provider (IdP) set up
- Review the Roles & Permissions.
- Review the User Types
- Confirm you have the right role(s) to grant a user access to a given resource (e.g., you have the
projectOwner
role on a given project you wish to add other users to) - Cluster-level admin roles are not currently implementable via Console
How to Assign Roles to a User #
On a Project #
Roles granted at the Project level are inherited by all repositories within that project. If you grant a user repoReader
on a project, they will have repoReader
on all repositories within that project and that role will not be removable on the repo level.
- Log in to the Pachyderm Console.
- Scroll to a project you wish to add a user to.
- Select the ellipsis icon > Edit Project Roles.
- Select a User Type from the dropdown:
- user: an individual by name or email address; requires that user’s email address be registered or available to your IdP (e.g., either explicitly listed or allowed via your email domain)
- group: a group of users; requires that your IdP supports groups tied to an email address
- robot: a service account
- allClusterUsers: all users on the cluster
- If not
allClusterUsers
, provide a name or email address. - Select a Role from the dropdown.
- projectViewer: Can view the project and see a list of its repositories.
- projectWriter: projectViewer permissions + can also create repositories.
- projectOwner: projectWriter permissions + can also delete repositories and modify role bindings.
- repoReader: Can read every repository in the project.
- repoWriter repoReader permissions + can also push to every repository in the project.
- repoOwner repoWriter permissions + can also delete repositories and modify role bindings.
- Select Add.
- Select Done.
Tip
On a Repository #
Roles granted at the Repository level are not inherited by other repositories within that project. This is useful if you want to grant a user repoReader
on a single repository within a project, but not on all repositories within that project.
- Log in to the Pachyderm Console.
- Select a View Project on the project containing the repository you wish to add a user to.
- Select the repo (either from the DAG view or the List view).
- Select Set Roles.
- Select a User Type from the dropdown.
- If not
allClusterUsers
, provide a name or email address. - Select a Role from the dropdown.
- Select Add.
- Select Done.