As an administrator, you can create a custom role that you can use in access policies in VMware Tanzu Mission Control.

Tanzu Mission Control provides a set of standard roles that you can use to establish a baseline security posture for your organization. To suit the needs of your organization, you can also create custom roles that have a more specific focus. For example, say your organization has a small group that manages the data protection aspects of all your clusters. In such a case, you can create a custom role that contains all of the necessary permissions for this set of tasks without adding other administrative permissions that the members of this group don't need.

When creating a custom role, consider the following facets of a custom role:
  • Custom roles can be used only in role bindings in access policies for the type of object for which you specify the role's visibility. You cannot use custom roles in access policies for management clusters.
  • Almost all of the aspects of the custom role are optional. However, to have functional value, you must include at least one of Tanzu permissions, Kubernetes RBAC rules, or an aggregation.
  • When you use aggregation, only Kubernetes RBAC rules are included. Tanzu permissions are not included. To use aggregation, create the custom roles with the base rules and label them, and then create the custom role with the aggregation using the label selector to identify the custom roles with the base rules. For more information about role aggregation, see Aggregated ClusterRoles in the Kubernetes documentation.


Make sure you have the appropriate permissions.
  • To create a custom role, you must be associated with the orginization.admin role for the organization.

Log in to the Tanzu Mission Control console, and then go to the Administration page.


  1. On the Administration page in the Tanzu Mission Control console, click the Roles tab.
  2. Click Create Custom Role.
    Note: You can optionally use an existing role, either built-in or custom, as a pattern for the new role. Click the menu icon for the existing role in the table on the Roles tab, and then choose Create role from selected.
  3. Provide a name for the custom role.
  4. You can optionally provide a description so other team members understand the purpose of the custom role.
  5. You can optionally specify one or more labels to apply to the custom role.
    You can use labels to identify multiple roles that you want to aggregate into a single combined role.
  6. Select the visibility for the custom role.
    1. Click Cluster or Workspace.
    2. Select the hierarchy levels to which the role can be applied.
  7. You can optionally specify Tanzu permissions to include in the custom role.
    You can sort and filter the permissions displayed in the table to locate the individual permissions you want to add.
    • To select a permission, click its checkbox.
    • To select all permissions, click the select all checkbox at the top of the table. Be aware that the select all checkbox selects all of the available permissions, not just those that are currently displayed. If you have applied a filter, you do not see all of the permissions you have selected by clicking the select all checkbox.
  8. You can optionally add one or more Kubernetes RBAC rules for the custom role.
    1. Select one or more verbs (Kubernetes permission type).
      You can optionally type in your own custom verb.
    2. Select the type.
      • Resource allows you to choose from Kubernetes resources.
      • Non-resource URL allows you to specify a URL that is not a Kubernetes resource, for example /healthz.
    3. Select one or more Kubernetes resource type, or enter the URL for a custom non-resource.
    4. You can optionally enter a resource name for easier identification.
    5. You can optionally specify an API group.
    6. You can optionally click Add Another and repeat these steps to include additional Kubernetes RBAC rules.
  9. To aggregate with other roles, enter one or more label selectors to identify the roles to aggregate.
    For more information about role aggregation, see Aggregated ClusterRoles in the Kubernetes documentation.
  10. You can optionally click Deprecate to toggle the prevention of new role bindings from using the custom role.
  11. Click Create.


When you click Create, Tanzu Mission Control creates the custom role. It is now available for creating access policies for the objects you specified for its visibility.