Setting up users and projects for VMware Tanzu Platform hub
As an organization owner, you must configure users so that your Tanzu Platform hub users can see and manage the applications assigned to them. You can configure projects if you want selected users to have different permissions for resources associated with one project but not the same permissions in another project.
Tanzu Platform hub uses role-based access. There are three types of roles:
- Organization roles
- Service roles
- Project roles
All users must have at least an Organization Member role to access the service console and at least an Tanzu Platform hub Viewer role to open and view the service UI.
Additional roles and permissions are explained in the following sections.
Organization roles
Organization roles provide access to the service console. The roles have particular permissions. This section provides an overview of the four key roles. For more information about the how the roles affect general organization permissions, see Tanzu Platform cloud services organization roles.
| Role | Permissions |
|---|---|
| Organization owner | Users can open the console, assign organization roles to all users, and assign service roles to all organization roles, including to themselves. |
| Organization administrator | Users can open the console and assign service roles to organization members. |
| Organization member | Users can open the console. To open a service, they must have a service role assigned by a owner or administrator. |
Service roles
The service roles determine what you can see and do in Tanzu Platform hub. Some of the services that are presented in the Tanzu Platform hub UI require additional service roles. These roles are defined in the console by an organization owner or administrator.
You must give users at least a viewer role to open Tanzu Platform hub.
| Role | Description |
|---|---|
| Tanzu Hub Admin | User can fully manage the resources, making changes where needed. |
| Tanzu Hub Viewer | User can see resources but cannot make changes. |
| Tanzu Hub Admin Bundle | User has the Tanzu Hub admin role and read-only roles for other Tanzu and Aria services unless another role is specifically granted for the service. |
| Tanzu Hub Viewer Bundle | User has the Tanzu Hub viewer role and read-only roles for other Tanzu and Aria services unless another role is specifically granted for the service. |
To work with the Tanzu Insights service, you must give the users one of the following roles in addition to at least a Hub Viewer role.
| Role | Description |
|---|---|
| Insights Admin | User can view and manage all insights, including resolving insights. |
| Insights Viewer | User can view all insights. They cannot make any changes. |
How service roles interact with project roles
A project is a collection of resources to which you can assign users with different roles. For example, you might assign a user a Viewer role in the service, but you can assign them a project administrator role if you want to allow them to fully manage the resources in one project.
Review the following ways that service roles interact with project roles. The Hub role is used as an example. The behavior applies to all service roles and how they interact with projects.
- A user with the Hub Admin service role can perform all actions anywhere in Tanzu Platform Hub.
- A user with the service Hub Viewer role can see everything in Tanzu Platform hub, but they can’t make any changes.
- When resources are assigned to projects, a user who has the Hub Viewer role and the Hub Viewer project role can see only the resources in the projects that they are members of.
- If a user has the Hub Viewer service role and the Hub Admin project role can see everything in Tanzu Platform hub. However, they can only make changes to the resources in their projects. The project Admin role takes precedence over of the service Viewer role for the project.
- If a user has the Hub Admin service role and a Hub Viewer project role, they can make changes to the resources in that project and to the resources in any project. The service Admin role takes precedence over project Viewer role.
Users can use the Context list in the header to switch between their projects so that they only see resources assigned to the selected project. If the user selects All Projects they will see all resources in their projects.
What to read next
- Add users and assign user roles for Tanzu Platform hub
To ensure that your users can access Tanzu Platform hub, you must add your users in the Tanzu Platform cloud services console and given them the permissions that support their assigned roles. - Add projects and assign users for Tanzu Platform hub
If you plan to manage your resources as projects so that you can assign different users permission to see or manage resources, , you create projects for your various teams or development projects. You then add users to the Tanzu Platform hub projects to give them access to the accounts that include their project resources.
