Skip to main content
Calico Cloud Pro documentation

Give role-based access to an Entra ID group

If you have Microsoft Entra ID configured as your identity provider, you can define role-based access in Calico Cloud and assign roles to an Entra ID (formerly Azure AD) security group. By managing membership in that security group, you can manage role-based access to Calico Cloud directly from your identity provider portal.

Prerequisites

  • You are signed in to the web console with owner or administrator permissions.
  • Entra ID is set up as an identity provider for Calico Cloud. To set up an identity provider for Calico Cloud, open a support ticket.
  • You have administrator permissions for your organization in the Azure Portal.
  • You have the Object ID for an Entra ID security group.
  • The Email property for all users in the security group has a valid email address.

Add an Entra ID security group and assign role-based permissions for Calico Cloud

  1. In the web console, click the user icon > Manage Team.
  2. Select the Roles tab, click the Add IdP Group button, and then enter the following information:
    • IdP Group Name: Enter a name for the group that will be displayed in the web console.
    • IdP Group Identifier: Enter the Object ID for the Entra ID security group.
    • (Optional) Description: Enter a description for the group.
    note

    If you don't see an Add IdP Group button, your organization does not have an identity provider configured. To set up an identity provider for Calico Cloud, open a support ticket.

  3. Select one or more predefined user roles from the Predefined Roles list to assign to this group.
  4. Click Save.

Add custom permissions to an IdP group

  1. In the web console, click the user icon > Manage Team.
  2. Select the Roles tab, and then locate the role you created for the Entra ID group.
  3. Click Actions > Manage permissions.
  4. To add permissions, locate your new IdP group role under the Roles tab, select Action > Manage permissions > Edit, and then click Add Permission.
  5. Under Permission, choose a permission type from the list. Depending on the permission, you may also need to choose a namespace or policy tier.
  6. Optional: To add more permissions to your role, click Add permission again and repeat the previous step.
  7. Click Save to save these permissions to the role for this cluster.