> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How do I scope users to specific clusters?

With CoreWeave's default [Managed Authentication](/products/cks/auth-access/managed-auth/kubeconfig) all users in an org can authenticate against any cluster in that org. What they can do is scoped by the IAM roles (`CKS Viewer`, `CKS Admin`, and others) attached to their access policies. There is no per-cluster scoping in this model.

For per-cluster scoping, configure a cluster to use [Unmanaged Authentication](/products/cks/auth-access/unmanaged-auth/introduction). Each cluster has its own auth endpoint that you connect to your own identity provider through OIDC, Kubernetes Service Account tokens, or a webhook, giving you control over which identities can authenticate to that specific cluster. Unmanaged auth can be enabled on existing clusters without recreating them. For setup, see [Implement Unmanaged Authentication](/products/cks/auth-access/unmanaged-auth/implement-unmanaged-auth).

For stronger separation between groups of clusters, [contact support](/support/contact) about using multiple organizations.

***

<Badge stroke shape="pill" color="blue" size="md">[Administrator](/support/platform/tags/administrator)</Badge><Badge stroke shape="pill" color="blue" size="md">[Authentication & Access](/support/platform/tags/authentication-access)</Badge>
