Skip to main content

Set up users

Authentication

Calico Cloud supports Google Social login and username / password for user authentication.

Roles and authorization

Users can have one of the following predefined user roles to access features in Manager UI. The default permissions align with typical needs for each role.

This table describes what level of access each predefined role has for features in Manager UI:

OwnerAdminViewerDevOpsSecurityCompliance
Service Graph and Flow Visualizerviewviewviewviewview-
Policiesview, editview, editviewview, editview, editview
Nodes and Endpointsviewviewviewviewviewview
Network Setsview, editview, editviewview, editview, edit-
Managed Clustersview, editview, editviewview, editview-
Compliance Reportsviewviewview-viewview
Timelineviewviewviewviewview-
Alertsview, editview, editviewview, editview, edit-
Kibanaview, editview, editviewview, editview, edit-
Image Assuranceview, editview, edit-view, editview, edit-
Manage Teamview, editview, editviewviewview-
Usage Metricsview-----
note

The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.

Add your own identity provider

Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.

To add an identity provider, open a Support ticket.

Azure AD requirements

To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.

Enable "ID Token" for implicit flows.

Add the following Microsoft Graph API delegated permissions:

  • Directory.Read.All
  • User.Read
  • OpenId permissions:
    • email
    • openid
    • profile