Set up users

Authentication

Calico Cloud supports Google Social login and username / password for user authentication.

Roles and authorization

Users can have one of the following predefined user roles to access features in Manager UI. The default permissions align with typical needs for each role.

This table describes what level of access each predefined role has for features in Manager UI:

	Owner	Admin	Viewer	DevOps	Security	Compliance
Service Graph and Flow Visualizer	view	view	view	view	view	-
Policies	view, edit	view, edit	view	view, edit	view, edit	view
Nodes and Endpoints	view	view	view	view	view	view
Network Sets	view, edit	view, edit	view	view, edit	view, edit	-
Managed Clusters	view, edit	view, edit	view	view, edit	view	-
Compliance Reports	view	view	view	-	view	view
Timeline	view	view	view	view	view	-
Alerts	view, edit	view, edit	view	view, edit	view, edit	-
Kibana	view, edit	view, edit	view	view, edit	view, edit	-
Image Assurance	view, edit	view, edit	-	view, edit	view, edit	-
Manage Team	view, edit	view, edit	view	view	view	-
Usage Metrics	view	-	-	-	-	-

note

The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.

Add your own identity provider

Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.

To add an identity provider, open a Support ticket.

Azure AD requirements

To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.

Enable "ID Token" for implicit flows.

Add the following Microsoft Graph API delegated permissions:

• Directory.Read.All
• User.Read
• OpenId permissions:
  • email
  • openid
  • profile