Edge Orchestrator Groups and Roles#

This document lists all the groups and roles available in Edge Orchestrator.

Instructions for creating users and assigning them to groups can be found in Configure Identity and Access Management and Configure an External IAM with Keycloak* Solution (Optional).

In this document, the following syntax is used:

  • <org-id> is replaced with an organization identifier. This is a UUID corresponding to the organization, and are created when the organization is created.

  • <project-id> is replaced with a project identifier. This is a UUID corresponding to the project, and are created when the project is created.

Note

There are also groups and roles with the M2M or service-account in their names. These groups are used internally between services, and must not have users added to them.

Groups#

Edge Orchestrator creates the following user groups, by default. Some groups are automatically created for every organization and project. With one organization and one project created, there will be 13 groups.

You can place users in multiple groups; the users will be granted the union of all permissions. Within a single organization, you can place a user in multiple project groups.

Warning

Intel recommends placing users only in groups instead of granting them individual roles, which may change between software releases.

org-admin-group#

Can create, update, and delete organizations.

Contains 4 Roles:

sre-admin-group#

Typically used by a Site Reliability Engineer, has read access to Edge Orchestrator components and telemetry for troubleshooting, but cannot make changes.

Contains 1 Roles:

iam-admin-group#

Can manage the Identity and Access Management (IAM) components, including SSO/Federation.

Contains 2 Roles:

service-admin-group#

Maintains the Edge Orchestration software including the IAM, and third-party components of Edge Orchestrator (Rancher* platform, and so on).

Contains 5 Roles:

edge-manager-group#

Contains 21 Roles:

edge-operator-group#

Contains 16 Roles:

host-manager-group#

Contains 2 Roles:

sre-group#

Contains 5 Roles:

<org-id>_Project-Manager-Group#

Can create, update, and delete Projects. Organization specific.

Contains 4 Roles:

<project-id>_Edge-Manager-Group#

Can read or write cluster templates; import registry artifact; create, update, delete, or debug edge clusters; create, delete, and update deployments; create applications, profiles, and deployment packages; and upload Helm* charts and container images.

Contains 12 Roles:

<project-id>_Edge-Onboarding-Group#

Place users in this group who will onboard edge nodes through the password based method and without pre-registration. You must place a user only in a single edge onboarding group - the onboarded edge node will be added to this user’s project.

Contains 2 Roles:

<project-id>_Edge-Operator-Group#

Can list, create, update, or delete existing deployments and list or debug edge clusters, but not define applications, profiles, cluster templates, and so on.

Contains 11 Roles:

<project-id>_Host-Manager-Group#

Provides read and write access to Infrastructure Manager components including managing regions, sites, hosts, scheduling, and so on.

Contains 6 Roles:

Roles#

The following roles are created by default, or created for each organization and project. With one organization and one project created, there will be 53 roles.

admin#

Administrator for the IAM of the Edge Orchestrator installation.

Present in 1 Groups:

alrt-r#

Grants read-only access to alerts and alert definitions.

Present in 3 Groups:

alrt-rw#

Grants read/write access to alerts and alert definitions.

Present in 2 Groups:

alrt-rx-rw#

Grants read/write access to alert receivers.

Present in 1 Groups:

app-deployment-manager-read-role#

Present in 2 Groups:

app-deployment-manager-write-role#

Present in 2 Groups:

app-resource-manager-read-role#

Present in 2 Groups:

app-resource-manager-write-role#

Present in 2 Groups:

app-service-proxy-read-role#

Present in 2 Groups:

app-service-proxy-write-role#

Present in 2 Groups:

app-vm-console-write-role#

Present in 2 Groups:

catalog-other-read-role#

Present in 2 Groups:

catalog-other-write-role#

Present in 1 Groups:

catalog-publisher-read-role#

Present in 2 Groups:

catalog-publisher-write-role#

Present in 1 Groups:

catalog-restricted-read-role#

Present in 1 Groups:

catalog-restricted-write-role#

Present in 1 Groups:

cluster-artifacts-read-role#

Present in 2 Groups:

cluster-artifacts-write-role#

Present in 2 Groups:

cluster-templates-read-role#

Present in 3 Groups:

cluster-templates-write-role#

Present in 1 Groups:

clusters-read-role#

Present in 3 Groups:

clusters-write-role#

Present in 3 Groups:

infra-manager-core-read-role#

Present in 5 Groups:

infra-manager-core-write-role#

Present in 2 Groups:

org-delete-role#

Grants delete on organizations.

Present in 1 Groups:

org-read-role#

Grants read on organizations.

Present in 1 Groups:

org-update-role#

Grants update on organizations.

Present in 1 Groups:

org-write-role#

Grants write (create) on organizations.

Present in 1 Groups:

rs-access-r#

Read access to the release service.

Present in 2 Groups:

secrets-root-role#

Access to IAM secrets.

Present in 1 Groups:

account/manage-account#

Can manage their own account in Keycloak solution.

Present in 3 Groups:

account/view-profile#

Can view their own account profile in Keycloak solution.

Present in 3 Groups:

<org-id>_<project-id>_m#

Used internally to indicate membership in a specific organization and project.

Present in 3 Groups:

<org-id>_project-delete-role#

Grants delete on projects within an organization.

Present in 1 Groups:

<org-id>_project-read-role#

Grants read on projects within an organization.

Present in 1 Groups:

<org-id>_project-update-role#

Grants update on projects within an organization.

Present in 1 Groups:

<org-id>_project-write-role#

Grants write (create) on projects within an organization.

Present in 1 Groups:

<project-id>_alrt-r#

Grants read-only access to alerts and alert definitions for a specific project.

Present in 1 Groups:

<project-id>_alrt-rw#

Grants read/write access to alerts and alert definitions for a specific project.

Present in 1 Groups:

<project-id>_ao-rw#

Grants read/write access to Application Orchestration within a project.

Present in 2 Groups:

<project-id>_cat-r#

Grants read-only access to Application Catalog within a project.

Present in 1 Groups:

<project-id>_cat-rw#

Grants read/write access to Application Catalog within a project.

Present in 1 Groups:

<project-id>_cl-r#

Grants read-only access to Cluster Orchestration within a project.

Present in 1 Groups:

<project-id>_cl-rw#

Grants read/write access to Cluster Orchestration within a project.

Present in 1 Groups:

<project-id>_cl-tpl-r#

Grants read-only access to Cluster Orchestration templates within a project.

Present in 1 Groups:

<project-id>_cl-tpl-rw#

Grants read/write access to Cluster Orchestration templates within a project.

Present in 1 Groups:

<project-id>_en-ob#

Grants the ability to onboard edge nodes interactively using Edge Infrastructure Manager within a project.

Present in 2 Groups:

<project-id>_im-r#

Grants read-only access to Edge Infrastructure Manager within a project.

Present in 2 Groups:

<project-id>_im-rw#

Grants read/write access to Edge Infrastructure Manager within a project.

Present in 1 Groups:

<project-id>_reg-a#

Grants admin/read/write access to Application Registry for a project.

Present in 1 Groups:

<project-id>_reg-r#

Grants read-only access to Application Registry for a project.

Present in 2 Groups:

<project-id>_tc-r#

Grants view (read) access to telemetry for a project.

Present in 3 Groups:

X/Y Table of Groups and Roles#

Note

Groups are columns, roles are rows.

Groups and Roles#

Role

iam-admin-group

edge-manager-group

edge-operator-group

service-admin-group

host-manager-group

<org-id>_Project-Manager-Group

<project-id>_Edge-Manager-Group

<project-id>_Edge-Onboarding-Group

<project-id>_Edge-Operator-Group

<project-id>_Host-Manager-Group

org-admin-group

sre-admin-group

sre-group

admin

X

alrt-r

X

X

X

alrt-rw

X

X

alrt-rx-rw

X

app-deployment-manager-read-role

X

X

app-deployment-manager-write-role

X

X

app-resource-manager-read-role

X

X

app-resource-manager-write-role

X

X

app-service-proxy-read-role

X

X

app-service-proxy-write-role

X

X

app-vm-console-write-role

X

X

catalog-other-read-role

X

X

catalog-other-write-role

X

catalog-publisher-read-role

X

X

catalog-publisher-write-role

X

catalog-restricted-read-role

X

catalog-restricted-write-role

X

cluster-artifacts-read-role

X

X

cluster-artifacts-write-role

X

X

cluster-templates-read-role

X

X

X

cluster-templates-write-role

X

clusters-read-role

X

X

X

clusters-write-role

X

X

X

infra-manager-core-read-role

X

X

X

X

X

infra-manager-core-write-role

X

X

org-delete-role

X

org-read-role

X

org-update-role

X

org-write-role

X

rs-access-r

X

X

secrets-root-role

X

account/manage-account

X

X

X

account/view-profile

X

X

X

<org-id>_<project-id>_m

X

X

X

<org-id>_project-delete-role

X

<org-id>_project-read-role

X

<org-id>_project-update-role

X

<org-id>_project-write-role

X

<project-id>_alrt-r

X

<project-id>_alrt-rw

X

<project-id>_ao-rw

X

X

<project-id>_cat-r

X

<project-id>_cat-rw

X

<project-id>_cl-r

X

<project-id>_cl-rw

X

<project-id>_cl-tpl-r

X

<project-id>_cl-tpl-rw

X

<project-id>_en-ob

X

X

<project-id>_im-r

X

X

<project-id>_im-rw

X

<project-id>_reg-a

X

<project-id>_reg-r

X

X

<project-id>_tc-r

X

X

X
On this page
Show Source