Skip to main content

Set up users


Calico Cloud supports Google Social login and username / password for user authentication.

Roles and authorization

Users can have one of the following predefined user roles to access features in Manager UI. The default permissions align with typical needs for each role.

This table describes what level of access each predefined role has for features in Manager UI:

Service Graph and Flow Visualizerviewviewviewviewview---
Policiesview, editview, editviewview, editview, editview--
Nodes and Endpointsviewviewviewviewviewview--
Network Setsview, editview, editviewview, editview, edit---
Managed Clustersview, edit, deleteview, edit, deleteviewview, editview---
Compliance Reportsviewviewview-viewview--
Alertsview, editview, editviewview, editview, edit---
Kibanaview, editview, editviewview, editview, edit---
Image Assuranceview, editview, edit-view, editview, edit--view, edit
Manage Teamview, editview, editviewviewview---
Usage Metricsview-----view-
Threat Feedsview, editview, editviewview, editview, edit---
Web Application Firewallview, editview, editviewviewview, edit---
Container Threat Detectionview, editview, editviewviewview, edit---

The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.

Add your own identity provider

Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.

To add an identity provider, open a Support ticket.

Azure AD requirements

To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to

Enable "ID Token" for implicit flows.

Add the following Microsoft Graph API delegated permissions:

  • Directory.Read.All
  • User.Read
  • OpenId permissions:
    • email
    • openid
    • profile