Tanzu Application Platform v1.3 includes:

Default roles

Four roles are for users:

  • app-editor
  • app-viewer
  • app-operator
  • service-operator

Two roles are for service accounts associated with the Tanzu Supply Chain:

  • workload
  • deliverable

The default roles provide an opinionated starting point for the most common permissions that users need when using Tanzu Application Platform. However, as described in the Kubernetes documentation about RBAC, you can create customized roles and permissions that better meet your needs. Aggregated cluster roles are used to build VMware Tanzu Application Platform default roles.

Cluster admins must be careful when creating Roles or ClusterRoles. When changing roles or adding new roles that carry one of the labels used by the default roles, the roles are automatically updated to the aggregation state. It can lead to unintentional changes in functions and permissions to all users.

The default roles are installed with every Tanzu Application Platform profile except for view. For an overview of the different roles and their permissions, see Role Descriptions.

Working with roles using the RBAC CLI plug-in

For more information about working with roles, see Bind a user or group to a default role.


Tanzu Application Platform GUI does not make use of the described roles. Instead, it provides the user with view access for each cluster.

check-circle-line exclamation-circle-line close-line
Scroll to top icon