Roles and permissions

To give users access to projects and services in your organizations, you grant them permissions and roles:

• Permissions: Actions that a principal can perform on a resource or group of resources.
• Roles: Sets of permissions that you can assign to a principal.

Principals are organization users, application users, and groups. You can grant access to principals at the project level. You can add users to services.

To grant access to resources at the organization level, you can make organization users super admin. Limit the number of users with this role as it gives unrestricted access to all organization resources including billing, admin, and all projects and services.

Project roles

You can grant the following roles for projects to principals.

Console name	API name	Permissions
Admin	admin	Full access to the project and all of its services.
Developer	developer	Create databases. View service connection information. Remove Aiven for OpenSearch® indexes. Create and change Aiven for Apache Kafka® topics. Create and change Aiven for PostgreSQL® connection pools. Create and change service database users.
Operator	operator	View project audit log. View project permissions. Full access to all services in the project and their configuration.
Read only	read_only	View all services and their configuration.
Maintain services	role:services:maintenance	Perform service maintenance updates. Change maintenance windows. Upgrade service versions.
Recover services	role:services:recover	Add and remove dynamic disk sizing and tiered storage. Change service plans. Fork services. Promote read replicas.

Project admin do not have access to organization settings such as billing unless they are also a super admin.

Project and service permissions

important

Permissions are not yet fully supported in the Aiven Console. They are intended for use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes.

You can grant the following permissions to principals. The actions listed for each permission apply to the project and all services within it.

Console name	API name	Allowed actions
View project audit log	project:audit_logs:read	View the log for the project. View all services in the project.
View project integrations	project:integrations:read	View all integration endpoints for a project.
Manage project integrations	project:integrations:write	Add and remove integration endpoints. Read and write integration secrets.
View project networking	project:networking:read	View all project VPCs.
Manage project networking	project:networking:write	Add, edit, and remove project VPCs.
View project permissions	project:permissions:read	View all users granted permissions to a project.
View services	project:services:read	View all details for services in a project, except the service logs.
Manage services	project:services:write	Create and delete services. Power on and off services. Add and remove dynamic disk sizing and tiered storage. Change service plans. Change cloud regions. Fork services.
Manage service configuration	service:configuration:write	Change clouds and regions. Change deployment models. Update IP allowlists. Change the network configuration options. Add and remove service tags. Enable and disable termination protection. Configure backup settings. Add and remove service contacts.
Access data	service:data:write	Perform service queries through the API and Console. View query statistics and current queries. Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes.
View service logs	service:logs:read	View logs for all services in the project. Service logs may contain sensitive information.
View configuration secrets	service:secrets:read	Read service configuration secrets such as keys.
Manage service users	service:users:write	Create and delete service users. View and update connection information for services.