Skip to main content

User Permissions

Learn about user permission management using CKS Managed Auth

Default user groups and permissions

Managed Auth in CKS provides three default user groups for organization users:

  • read,
  • metrics,
  • write,
  • and admin.

Each of these groups provides varying levels of privilege within their CKS organization.

Important

All non-administrator users (those not within the admin group) must be added to a group by an administrator in order to interact with organization resources. Users that are not assigned to any groups can still access the UI, but do not have any resource permissions.

Group permissions in detail

Under the hood, Managed Auth leverages Kubernetes RoleBindings and ClusterRoleBindings to define user permissions within CKS organizations. Organizations are allocated a single namespace in which organization members can create Clusters. Users may then be granted specific permissions to perform actions within a given cluster. The CKS default permission groups map directly to standard Kubernetes user-facing groups, where the CKS permission groups map accordingly to standard groups:

  • admin maps to cluster-admin,
  • write maps to edit, and
  • read maps to view.

admin group permissions

A user with administrator privileges in CKS can control the access other users within the organization at both the individual and the group level. Administrators can also adjust their own permissions to gain access to specific cluster resources.

By default, the user responsible for creating a new organization within CoreWeave is an organization administrator, and is assigned to the admin group. There must always be at least one admin member in any organization. Admins are able to choose which groups users they add will belong to via the command write_groups_user_assignments and can edit initial user access permissions until the user accepts the invitation.

Warning

Admins hold the highest level of privilege within an organization. Users with this role can make significant changes to the environment and view potentially sensitive information about the organization, cluster configuration, and other users. Use caution when assigning this role.

As the group with the highest level of privileges within an organization, members in the admin group may...

Manage Clusters

Manage users

  • Invite new users to the organization
  • Assign users to specific groups, including the admin group, both before and after sending an invitation
  • Deactivate other user accounts, including admin user accounts
  • Remove users from groups
  • View user groups and their members
Learn more

Admin users may add and remove others from clusters at any time. They may also assign admin privileges to other users. Admins can also deactivate or reactivate any user in their organization via the write_org_users cluster action.

write group permissions

Users in the write group may perform the following actions:

Cluster management

User management

  • View user groups and their members

metrics group permissions

Users in the metrics group may perform the following actions:

  • View metrics and logs for all clusters

read group permissions

Users in the read group may perform the following actions:

  • View existing cluster configurations
  • Open support tickets through Freshdesk
Note

Users in the read group cannot view metrics and logs for all clusters.

Last updated on