admin, write, read, metrics, billing_viewer) are CoreWeave’s older group-based permission model. Group membership grants an organization-wide bundle of capabilities. IAM access policies are the newer, role-based model: each policy contains rules that assign specific roles (such as CKS Admin, Billing Viewer, or Observability Viewer) to specific principals (a user or a group), so administrators can compose least-privilege permissions that legacy groups cannot. Legacy groups are still supported, but new permission work should use IAM access policies.
For full details, see Legacy permissions and Access policies.
Administrator Authentication & Access