Creating and assigning custom roles
As an administrator, you can create custom, cluster-specific roles that restrict users to particular functions on a cluster.
Calico Cloud comes with a set of predefinied global roles that let you give permissions to users based on what they need to do. For example, a user with the Security global role has a broader set of permissions than a user with the Viewer global role. These permissions apply to all clusters.
But in some cases these global roles can be too broad.
By creating and assigning custom roles, you can be much more discriminating about what permissions you give users. For example, you could create a role that allows the user to modify network policy for a particular tier and namespace and gives view access to all other network policies. Permissions are assigned on a cluster-by-cluster basis.
Required permissions for common Calico Cloud features
Certain permissions are required for a user to access common Calico Cloud features.
|Feature area||Required permissions||Notes|
|Alerts||• View or Modify Alerts|
•View Event Logs or View All Logs
|Anomaly detection||• View or Modify Alerts|
• View Event Logs or View All Logs
|Compliance reports||• View Compliance Reports|
|Dashboard||• View All Logs|
• View Global Network Sets or View Network Sets
• View Compliance Reports
|These permissions are required for the dashboard to fully populate. All users are granted limited dashboard metrics by having access to a cluster.|
|Network policies||• View or Modify Policies|
• View or Modify Global Policies
• View Audit Logs or View All Logs
|The Policies permissions apply to one or more namespaces. The Global Policies permissions apply to the whole cluster. These permissions are also scoped by policy tier. |
The optional View Audit Logs or View All Logs let users view the change history on the policies.
|Service graph||• View All Logs|
• View or Modify Network Sets
• View or Modify Packet Captures
|Network sets can be restricted to a namespace or set to all namespaces to see all flows.|
|Threat feeds||• View or Modify Threat Feeds|
|Timeline||• View Event Logs or View All Logs|
Before you begin
- You must be signed in to Calico Cloud UI as an administrator.
Create a custom role and add permissions
- Click the user icon > Manage Team.
- Under the Roles tab, click Add Role, enter a name and description for the custom role, and then click Save.
- Select the cluster you want to want the role to apply to by clicking Cluster: and choosing the cluster.
- Locate your new role in the list, select Action > Manage permissions > Edit, and the click Add Permission.
- Under Permission, choose a permission type from the list. Depending on the permission, you may also need to choose a namespace or policy tier.
- (optional) Click Add permission to add more permissions to your role for this cluster.
- Click Save to save these permissions to the role for this cluster.
- (optional) If you want to add the permissions for another cluster, repeat steps 3 to 7 for the cluster.
Assign custom roles to a user
- Select the user icon > Manage Team.
- Under the Users tab, locate the user in the list and select Action > Edit.
- Select the checkboxes for each custom role you want to assign to this user and then click Save.