Roles are used to define the policies to be applied. A role has one or more policies.

project roles

Create role

When you create a role, you must define whether it is a role that will apply to a project resource (like "Environment", "Platform access", "Registry", etc) or to an environment resource (like "Services", "Instance Pools", etc).

To give access to a specific environment, for the user to see it, you need to add a role with the option "Project's role" with a rule that gives him access to this environment.

project role

When you select "Environment's role", you must select the environment to which the role will apply.

create role

Once you have chosen the type of role, you can add policies on the resources.
You can specify policy on specific resources such as "the right to read the service Wordpress".
Here are the different actions on which you can add rules:

  • Read: User can read all resources of this type (or a specific resource if specified).
  • Create/update: User can create, but can only edit resources created by himself. Users can also only view their own resources. (Can be combined with another policy with the "Read" action to allow the user to see everything, but only to create and edit his own resources.).
  • Read/Write: User can read and update all resources and create new resources (or a specific resource if specified).
  • Admin: Only available for resource environment. Allows a user to become an administrator of the environment: the user can do anything with resources in this environment (create services, instance pools, etc.). Useful for not having to create policies for all the resources in an environment for non-production environments.

add role policy

It's up to you to decide how to divide up the roles and groups. You can have few roles with many rules, or very specific roles with few rules.