Roles and permissions
To give users access to projects and services in your organizations, you grant them permissions and roles:
- Permissions: Actions that a principal can perform on a resource or group of resources.
- Roles: Sets of permissions that you can assign to a principal.
Principals are organization users, application users, and groups. You can grant access to principals at the project level. You can add users to services.
To grant access to resources at the organization level, you can make organization users super admin. Limit the number of users with this role as it gives unrestricted access to all organization resources including billing, admin, and all projects and services.
Project roles
You can grant the following roles for projects to principals.
Console name | API name | Permissions |
---|---|---|
Admin | admin |
|
Developer | developer |
|
Operator | operator |
|
Read only | read_only |
|
Maintain services | role:services:maintenance |
|
Recover services | role:services:recover |
|
Project admin do not have access to organization settings such as billing unless they are also a super admin.
Project and service permissions
Permissions are not yet fully supported in the Aiven Console. They are intended for use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes®.
You can grant the following permissions to principals. The actions listed for each permission apply to the project and all services within it.
Console name | API name | Allowed actions |
---|---|---|
View project audit log | project:audit_logs:read |
|
View project integrations | project:integrations:read |
|
Manage project integrations | project:integrations:write |
|
View project networking | project:networking:read |
|
Manage project networking | project:networking:write |
|
View project permissions | project:permissions:read |
|
View services | project:services:read |
|
Manage services | project:services:write |
|
Manage service configuration | service:configuration:write |
|
Access data | service:data:write |
|
View service logs | service:logs:read |
|
View configuration secrets | service:secrets:read |
|
Manage service users | service:users:write |
|