Set up users
Authentication
Calico Cloud supports Google Social login and username / password for user authentication.
Roles and authorization
Users can have one or more of the following predefined user roles to access features in the web console. The default permissions align with typical needs for each role.
Owner
The Owner role has the highest level of access and typically corresponds to the account creator.
The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | view |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view, edit |
Admin
The Admin role provides broad administrative access for day-to-day configuration and management of Calico Cloud.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view, edit |
User Admin
The User Admin role has the ability to manage team members and their assigned roles.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Cluster Connection Admin
The Cluster Connection Admin role has administrative capabilities of managed clusters.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | view, edit, delete |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Viewer
The Viewer role provides read-only access to most operational and configuration data within Calico Cloud. Ideal for users who need visibility without making changes.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | view |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view |
| Kibana | view |
| Image Assurance | - |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view |
| Web Application Firewall | view |
| Container Threat Detection | view |
| Dashboards | view |
DevOps
The DevOps role is designed for users responsible for application deployment, CI/CD integration, and managing network policies and configurations relevant to their applications.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit |
| Compliance Reports | - |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view |
| Container Threat Detection | view |
| Dashboards | view |
Security
The Security role focuses on security posture management, including policy definition, threat monitoring, vulnerability management (Image Assurance), and incident response.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view |
Compliance
The Compliance role provides focused access to compliance reporting and related policy information, suitable for auditors or compliance officers.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | view |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Usage Metrics
This role grants specific access to view usage metrics for the Calico Cloud account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | view |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Image Assurance Admin
This role provides administrative control specifically over the Image Assurance feature, including configuring registries, policies, and viewing scan results.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | view, edit |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Dashboards Admin
This role grants administrative permissions specifically for creating, managing, and sharing custom dashboards within Calico Cloud.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | view, edit |
Add your own identity provider
Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.
To add an identity provider, open a Support ticket.
Azure AD requirements
To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.
Enable "ID Token" for implicit flows.
Add the following Microsoft Graph API delegated permissions:
- User.Read
- OpenId permissions:
- openid
- profile