Add users and assign user roles for Tanzu Platform for Kubernetes

VMware Tanzu Platform for Kubernetes uses role-based access control (RBAC) so that users can see and manage the applications assigned to them. A project allows you to organize resources for specific users or user groups. A default project is available for you to use.

Add users and assign roles in a project

To add users and assign role in a project for Tanzu Platform for Kubernetes:

  1. On the Tanzu Platform hub, scroll down to Administration.

  2. Click Projects > YOUR-PROJECT-NAME.

    Add members

  3. On the project page, click Add Members.
  4. Enter email addresses for the users you want to add.
  5. For Services, select VMware Tanzu Application Platform.

  6. For Roles, select Tanzu Application Platform Admin.

    The role is assigned to all users you entered in the Select identities text box.

For information about how to add users to an organization, see Setting up users and projects for VMware Tanzu Platform hub.

Service role descriptions for a project

Service roles provide users with default permissions. The following table describes each TAP service role:

Role Description
TAP Admin Can administer all TAP resources (cluster groups, clusters and Spaces) in the Project/Organization. This includes giving access to these resources to other members of the organization. This role maps closely to a Platform Engineer persona.
TAP Viewer Can view all TAP resources in the Project (cluster groups, clusters and Spaces) in the Project/Organization. This can be considered the ‘view-only’ version of TAP Admin. This role maps closely to a Platform Engineer/Auditor/SecOps persona.
TAP Developer Can view all Spaces in the Project and self-service Spaces in the Project. The role is designed to promote developer autonomy and collaboration. It maps closely to a Developer persona.
TAP Member Cannot access any TAP resources in the Project. Intended to be used in conjunction with granular object-level rolebindings. For example, make a user admin of a cluster group by giving them TAP Member. Visit the Access Control page > Cluster Access and add a rolebinding on the specific cluster group.

Add users and assign roles in an organization

To add users and assign roles at the organization for Tanzu Platform for Kubernetes, you must have Organization Owner role in Tanzu Platform hub.

  1. In the VMware Cloud Services console, select Identity and Access Management > Active Users.

  2. To add a user, click Add Users.

    Or, click Edit Roles for an existing user.

  3. For Assign Service Roles, click + Add A Service.
  4. From the drop-down menu, select VMware Tanzu Platform for Kubernetes.
  5. For roles, select the applicable roles from the drop-down menu.

  6. Click Add if you are adding a user.

    Or, click Save if you are editing the roles for an existing user.

For more information on how to to add users and assign roles in Tanzu Platform, also see Add users and assign user roles.

Service role descriptions in an organization

Service roles provide users with default permissions. The following table describes each Tanzu Platform for Kubernetes service role:

Role Description
Tanzu Platform for Kubernetes Admin Can administer all Tanzu Platform for Kubernetes resources, including cluster groups, clusters and Spaces, in all projects the organization. This includes giving access to these resources to other members of the organization. This role maps closely to a Platform Engineer persona.
Tanzu Platform for Kubernetes Viewer Can view all Tanzu Platform for Kubernetes resources in all projects in the organization, including cluster groups, clusters, and Spaces in the organization. This can be considered the ‘view-only’ version of Admin role. This role maps closely to a Platform Engineer/Auditor/SecOps persona.
Tanzu Platform for Kubernetes Developer Can view all Spaces, including self-service Spaces, in the organization. The role is designed to promote developer autonomy and collaboration. It maps closely to a Developer persona.
Tanzu Platform for Kubernetes Member Cannot access any Tanzu Platform for Kubernetes resources in the organization. The role is intended to be used in conjunction with granular object-level rolebindings. For example, make a user admin of a cluster group by giving them TAP Member. Visit the Access Control page > Cluster Access and add a rolebinding on the specific cluster group.
check-circle-line exclamation-circle-line close-line
Scroll to top icon