Roles and permissions

To give users access to projects and services in your organizations, you grant them permissions and roles:

• Permissions: Actions that a principal can perform on a resource or group of resources.
• Roles: Sets of permissions that you can assign to a principal.

Principals are organization users, application users, and groups.

You can grant access to principals at the organization and project level.

To give users access to a specific service, create service users.

Organization roles and permissions

You can grant the following roles and permissions to principals at the organization level. Roles and permissions at this level apply to the organization and all units, projects, and services within it.

Organization roles

Console name	API name	Allowed actions
Organization member	None	This is the default role for all organization users. You cannot grant this role to users. All non-managed organization users can: Edit their profiles. Create organizations. Leave organizations. Add allowed authentication methods. Generate and revoke personal tokens, if allowed by the authentication policy. Enable and disable feature previews. Managed users have more restrictions.
Admin	role:organization:admin	Full access to the organization. View and change billing information. Change the authentication policy. Invite, deactivate, and remove organization users. Create, edit, and delete groups. Create and delete application users and their tokens. Add and remove domains. Add, enable, disable, and remove identity providers.

Organization permissions

Console name	API name	Allowed actions
Manage application users	organization:app_users:write	Create, edit, and delete application users. View all application users. Generate and revoke application tokens. List all application tokens.
View organization audit log	organization:audit_logs:read	View the audit log.
Manage domains	organization:domains:write	Add, edit, and remove domains. View all organization domains.
Manage groups	organization:groups:write	Create, edit, and delete groups. Add organization and application users to groups. Remove organization and application users from groups.
Manage IdPs	organization:idps:write	Add, edit, enable, disable, and remove identity providers. View all identity providers for the organization.
Manage organization users	organization:users:write	Invite new users to the organization. View all invited users. Remove user invites. Deactivate, edit and delete managed users. Remove non-managed users from the organization. Reset passwords for managed users. View all authentication methods for an organization user. Revoke tokens for managed users. View all tokens generated by managed users.

Project roles and permissions

You can grant the following roles and permissions to principals. Roles and permissions granted at this level apply to the project and all services within it.

Project roles

Console name	API name	Permissions
Admin	admin	Full access to the project and all of its services.
Developer	developer	View project event log. View project tags. View all services in the project. Create databases. View service connection information. View integration endpoints. Remove Aiven for OpenSearch® indexes. Create and change Aiven for Apache Kafka® topics. Create and change Aiven for PostgreSQL® connection pools. Create and change service database users.
Operator	operator	View project audit log. Add, edit, and delete project tags. View project tags. View project permissions. Create, edit, and delete services and their configuration. Perform service maintenance updates. Create, edit, and delete project VPCs and peering connections. View project event log. Created, edit, and delete integration endpoints. Enable and disable service integrations. View integration endpoints.
Read only	read_only	View project event log. View project tags. View all services and their configuration. View integration endpoints.
Maintain services	role:services:maintenance	Perform service maintenance updates. Change maintenance windows. Upgrade service versions.
Recover services	role:services:recover	Add and remove dynamic disk sizing and tiered storage. Change service plans. Fork services. Promote read replicas.

Project permissions

Console name	API name	Allowed actions
View project audit logs	project:audit_logs:read	View the logs for the project. View all services in the project.
View project integrations	project:integrations:read	View all integration endpoints for a project.
Manage project integrations	project:integrations:write	Add and remove integration endpoints. Read and write integration secrets.
View project networking	project:networking:read	View all project VPCs. List all peering connections.
Manage project networking	project:networking:write	Create, edit, and delete project VPCs and peering connections. View all project VPCs and peering connections.
View project permissions	project:permissions:read	View all users granted permissions to a project.
View services	project:services:read	View all details for services in a project, except the service logs.
Manage services	project:services:write	Create and delete services. Power on and off services. Add and remove dynamic disk sizing and tiered storage. Change service plans. Change cloud regions. Fork services.
Manage service configuration	service:configuration:write	Change clouds and regions. Change deployment models. Update IP allowlists. Change the network configuration options. Add and remove service tags. Enable and disable termination protection. Configure backup settings. Add and remove service contacts.
Access data	service:data:write	Perform service queries through the API and Console. View query statistics and current queries. Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes.
View service logs	service:logs:read	View logs for all services in the project. Service logs may contain sensitive information.
View configuration secrets	service:secrets:read	Read service configuration secrets such as keys.
Manage service users	service:users:write	Create and delete service users. View all service users. View, update, and reset connection information for services.