Skip to main content

Creating and assigning custom roles

As an administrator, you can create custom, cluster-specific roles that restrict users to particular functions on a cluster.


Calico Cloud comes with a set of predefinied global roles that let you give permissions to users based on what they need to do. For example, a user with the Security global role has a broader set of permissions than a user with the Viewer global role. These permissions apply to all clusters.

But in some cases these global roles can be too broad.

By creating and assigning custom roles, you can be much more discriminating about what permissions you give users. For example, you could create a role that allows the user to modify network policy for a particular tier and namespace and gives view access to all other network policies. Permissions are assigned on a cluster-by-cluster basis.

Required permissions for common Calico Cloud features

Certain permissions are required for a user to access common Calico Cloud features.

Feature areaRequired permissionsNotes
Alerts View or Modify Alerts
View Event Logs or View All Logs
Anomaly detection View or Modify Alerts
View Event Logs or View All Logs
Compliance reports View Compliance Reports
Dashboard View All Logs
View Global Network Sets or View Network Sets
and (optional)
View Compliance Reports
These permissions are required for the dashboard to fully populate. All users are granted limited dashboard metrics by having access to a cluster.
Network policies View or Modify Policies
View or Modify Global Policies
and (optional)
View Audit Logs or View All Logs
The Policies permissions apply to one or more namespaces. The Global Policies permissions apply to the whole cluster. These permissions are also scoped by policy tier.

The optional View Audit Logs or View All Logs let users view the change history on the policies.
Service graph View All Logs
View or Modify Network Sets
and (optional)
View or Modify Packet Captures
Network sets can be restricted to a namespace or set to all namespaces to see all flows.
Threat feeds View or Modify Threat Feeds
Timeline View Event Logs or View All Logs

Before you begin

  • You must be signed in to Calico Cloud UI as an administrator.

Create a custom role and add permissions

  1. Click the user icon > Manage Team.
  2. Under the Roles tab, click Add Role, enter a name and description for the custom role, and then click Save.
  3. Select the cluster you want to want the role to apply to by clicking Cluster: and choosing the cluster.
  4. Locate your new role in the list, select Action > Manage permissions > Edit, and the click Add Permission.
  5. Under Permission, choose a permission type from the list. Depending on the permission, you may also need to choose a namespace or policy tier.
  6. (optional) Click Add permission to add more permissions to your role for this cluster.
  7. Click Save to save these permissions to the role for this cluster.
  8. (optional) If you want to add the permissions for another cluster, repeat steps 3 to 7 for the cluster.

Assign custom roles to a user

  1. Select the user icon > Manage Team.
  2. Under the Users tab, locate the user in the list and select Action > Edit.
  3. Select the checkboxes for each custom role you want to assign to this user and then click Save.