Add users and assign user roles for Tanzu Platform for Kubernetes
Tanzu Platform for Kubernetes uses role-based access control (RBAC) so that users can see and manage only the applications assigned to them. A Project enables you to organize resources for specific users or user groups. A default Project is available for you to use.
Add users and assign roles in a project
To add users and assign role in a project for Tanzu Platform for Kubernetes:
- In Tanzu Platform hub, scroll down to Administration.
-
Click Projects > YOUR-PROJECT-NAME.
-
On the project page, click Add Members.
- Enter email addresses for the users you want to add.
- For Services, select VMware Tanzu Application Platform.
-
For Roles, select Tanzu Application Platform Admin.
The role is assigned to all users you entered in the Select identities text box.
For information about how to add users to an organization, see Setting up users and projects for VMware Tanzu Platform hub.
Service role descriptions for a project
Service roles provide users with default permissions. The following table describes each Tanzu Platform for Kubernetes service role:
| Role | Description |
|---|---|
| Tanzu Platform for Kubernetes Admin | Can administer all Tanzu Platform for Kubernetes resources (cluster groups, clusters and Spaces) in the Project/Organization. This includes giving access to these resources to other members of the organization. This role maps closely to a Platform Engineer persona. |
| Tanzu Platform for Kubernetes Viewer | Can view all Tanzu Platform for Kubernetes resources in the Project (cluster groups, clusters and Spaces) in the Project/Organization. This can be considered the ‘view-only’ version of Tanzu Platform for Kubernetes Admin. This role maps closely to a Platform Engineer/Auditor/SecOps persona. |
| Tanzu Platform for Kubernetes Developer | Can view all Spaces in the Project and self-service Spaces in the Project. The role is designed to promote developer autonomy and collaboration. It maps closely to a Developer persona. |
| Tanzu Platform for Kubernetes Member | Cannot access any Tanzu Platform for Kubernetes resources in the Project. Intended to be used in conjunction with granular object-level rolebindings. For example, make a user admin of a cluster group by giving them Tanzu Platform for Kubernetes Member. Visit the Access Control page > Cluster Access and add a rolebinding on the specific cluster group. |
Add users and assign roles in an organization
To add users and assign roles at the organization for Tanzu Platform for Kubernetes, you must have Organization Owner role in Tanzu Platform hub.
- In the Tanzu Platform cloud services console, select Identity and Access Management > Active Users.
- To add a user, click Add Users. Or, click Edit Roles for an existing user.
- For Assign Service Roles, click + Add A Service.
- From the drop-down menu, select VMware Tanzu Platform for Kubernetes.
- For roles, select the applicable roles from the drop-down menu.
- Click Add if you are adding a user. Or, click Save if you are editing the roles for an existing user.
For more information on how to to add users and assign roles in Tanzu Platform, also see Add users and assign user roles.
Service role descriptions in an organization
Service roles provide users with default permissions. The following table describes each Tanzu Platform for Kubernetes service role:
| Role | Description |
|---|---|
| Tanzu Platform for Kubernetes Admin | Can administer all Tanzu Platform for Kubernetes resources, including cluster groups, clusters and Spaces, in all projects the organization. This includes giving access to these resources to other members of the organization. This role maps closely to a Platform Engineer persona. |
| Tanzu Platform for Kubernetes Viewer | Can view all Tanzu Platform for Kubernetes resources in all projects in the organization, including cluster groups, clusters, and Spaces in the organization. This can be considered the ‘view-only’ version of Admin role. This role maps closely to a Platform Engineer/Auditor/SecOps persona. |
| Tanzu Platform for Kubernetes Developer | Can view all Spaces, including self-service Spaces, in the organization. The role is designed to promote developer autonomy and collaboration. It maps closely to a Developer persona. |
| Tanzu Platform for Kubernetes Member | Cannot access any Tanzu Platform for Kubernetes resources in the organization. The role is intended to be used in conjunction with granular object-level rolebindings. For example, make a user admin of a cluster group by giving them Tanzu Platform for Kubernetes Member. Visit the Access Control page > Cluster Access and add a rolebinding on the specific cluster group. |
