Set up users
Authentication
Calico Cloud supports Google Social login and username / password for user authentication.
Roles and authorization
Users can have one or more of the following predefined user roles to access features in Manager UI. The default permissions align with typical needs for each role.
This table describes what level of access each predefined role has for features in Manager UI:
Owner | Admin | Viewer | DevOps | Security | Compliance | Usage Metrics | Image Assurance Admin | Dashboards Admin | |
---|---|---|---|---|---|---|---|---|---|
Service Graph and Flow Visualizer | view | view | view | view | view | - | - | - | - |
Policies | view, edit | view, edit | view | view, edit | view, edit | view | - | - | - |
Nodes and Endpoints | view | view | view | view | view | view | - | - | - |
Network Sets | view, edit | view, edit | view | view, edit | view, edit | - | - | - | - |
Managed Clusters | view, edit, delete | view, edit, delete | view | view, edit | view | - | - | - | - |
Compliance Reports | view | view | view | - | view | view | - | - | - |
Timeline | view | view | view | view | view | - | - | - | - |
Alerts | view, edit | view, edit | view | view, edit | view, edit | - | - | - | - |
Kibana | view, edit | view, edit | view | view, edit | view, edit | - | - | - | - |
Image Assurance | view, edit | view, edit | - | view, edit | view, edit | - | - | view, edit | - |
Manage Team | view, edit | view, edit | view | view | view | - | - | - | - |
Usage Metrics | view | - | - | - | - | - | view | - | - |
Threat Feeds | view, edit | view, edit | view | view, edit | view, edit | - | - | - | - |
Web Application Firewall | view, edit | view, edit | view | view | view, edit | - | - | - | - |
Container Threat Detection | view, edit | view, edit | view | view | view, edit | - | - | - | - |
_Dashboards | view, edit | view, edit | view | view | view | - | - | - | view, edit |
The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.
Add your own identity provider
Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.
To add an identity provider, open a Support ticket.
Azure AD requirements
To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.
Enable "ID Token" for implicit flows.
Add the following Microsoft Graph API delegated permissions:
- User.Read
- OpenId permissions:
- openid
- profile