Create a role binding in the access policy for an object to specify permissions for a member or group.


Log in to the Tanzu Mission Control console, and then go to the Access page for the type of object for which you want to add a role binding, as described in View Your Access Policies.

Make sure you have the appropriate permissions.
  • To edit the access policy for an object, you must be associated with the .admin role for that object.


  1. Navigate to the object whose access policy you want to add a role binding to, as described in View Your Access Policies.
  2. In the organizational view, select the object.
  3. Click the arrow next to the object name under Direct access policies.
  4. Click Create Role Binding.
  5. Select the role that you want to bind to an identity.
  6. Select the identity type that you want to bind.
    • user
    • group can be any group you have defined for your organization in VMware Cloud Services.
    • Kubernetes service account identifies a service account, and the namespace in which it is defined.
  7. Enter one or more identities, clicking Add after each identity.
  8. Click Save.


When you click Save, the new role binding is applied to the policy and is displayed on the Access page.

Example: Grant yourself access to your first cluster

The first time you create or attach a cluster might happen before your organization has a robust hierarchy of guardrail policies to manage access to clusters and other organizational objects. If you’re an administrator for your Tanzu Mission Control organization, you’ll already have access by default. But if you aren’t, or if you want to share this cluster with a colleague, you’ll need to set a direct access policy. Here is an example of how to do that.
  1. In the organizational view on the Access page, select your cluster.
  2. Click the arrow next to the cluster name under Direct access policies, and then click Create Role Binding.
  3. Select the cluster.admin role to grant administrative access to this cluster.
  4. Select the user type to grant access to individuals.
  5. Enter user IDs for yourself or your colleagues in the user identity field, clicking Add after each identity.
  6. Click Save.