Skip to main content

Roles and permissions

To give users access to projects and services in your organizations, you grant them permissions and roles:

  • Permissions: Actions that a principal can perform on a resource or group of resources.
  • Roles: Sets of permissions that you can assign to a principal.

Principals are organization users, application users, and groups.

You can grant access to principals at the organization and project level.

To give users access to a specific service, create service users.

Organization roles and permissions

You can grant the following roles and permissions to principals at the organization level. Roles and permissions at this level apply to the organization and all units, projects, and services within it.

Organization roles

Console nameAPI nameAllowed actions
Organization memberNoneThis is the default role for all organization users. You cannot grant this role to users.

All non-managed organization users can:
Managed users have more restrictions.
Super adminNone
  • Completely unrestricted access to all organization resources and settings, including: all units and projects, billing information, the authentication policy, other super admin, organization users, application users, groups, domains, and identity providers.
  • Rename the organization.
  • Delete the organization.
Adminrole:organization:admin
  • Full access to the organization.
  • View and change billing information.
  • Change the authentication policy.
  • Create and delete organizational units and projects.
  • Move projects within an organization and to other organizations.
  • Invite, deactivate, and remove organization users.
  • Create, edit, and delete groups.
  • Create and delete application users and their tokens.
  • Add and remove domains.
  • Add, enable, disable, and remove identity providers.
Cannot delete an organization or manage its super admin.

Organization permissions

Console nameAPI nameAllowed actions
Manage application usersorganization:app_users:write
  • Create, edit, and delete application users.
  • View all application users.
  • Generate tokens for application users that are not super admin and have not been granted any permissions.
  • Revoke application tokens.
  • List all application tokens.
View organization audit logorganization:audit_logs:read
  • View the audit log.
Manage domainsorganization:domains:write
  • Add, edit, and remove domains.
  • View all organization domains.
Manage groupsorganization:groups:write
  • Create and delete groups.
  • Rename groups and update group descriptions.
  • Add organization and application users to groups that have not been granted any permissions.
  • Remove organization and application users from groups.
Manage projectsorganization:projects:write
  • Create and delete projects.
  • Assign projects to billing groups.
  • Add and remove project tags.
Cannot otherwise access or move the project or its services.
Manage organization usersorganization:users:write
  • Invite new users to the organization.
  • View all invited users.
  • Remove user invites.
  • Deactivate, edit and delete managed users, including organization admin.
  • Remove non-managed users from the organization, including organization admin.
  • Reset passwords for managed users.
  • View all authentication methods for an organization user.
  • Revoke tokens for managed users.
  • View all tokens generated by managed users.

Project roles and permissions

You can grant the following roles and permissions to principals. Roles and permissions granted at this level apply to the project and all services within it.

These permissions apply to the project API endpoint /v1/organization/{organization_id}/projects.

Project roles

Console nameAPI namePermissions
Adminadmin
  • Full access to the project and all of its services.
Developerdeveloper
  • View project event log.
  • View project tags.
  • View all services in the project.
  • Create databases.
  • View service connection information.
  • View integration endpoints.
  • Remove Aiven for OpenSearch® indexes.
  • Create and change Aiven for Apache Kafka® topics.
  • Create and change Aiven for PostgreSQL® connection pools.
  • Create and change service database users.
Operatoroperator
  • View project audit log.
  • Add, edit, and delete project tags.
  • View project tags.
  • View project permissions.
  • Create, edit, and delete services and their configuration.
  • Perform service maintenance updates.
  • Create, edit, and delete project VPCs and peering connections.
  • View project event log.
  • Created, edit, and delete integration endpoints.
  • Enable and disable service integrations.
  • View integration endpoints.
Read onlyread_only
  • View project event log.
  • View project tags.
  • View all services and their configuration.
  • View integration endpoints.
Maintain servicesrole:services:maintenance
  • Perform service maintenance updates.
  • Change maintenance windows.
  • Upgrade service versions.
Recover servicesrole:services:recover
  • Add and remove dynamic disk sizing and tiered storage.
  • Change service plans.
  • Create a fork of a service within the same project.
  • Promote read replicas.

Project permissions

Console nameAPI nameAllowed actions
View project audit logsproject:audit_logs:read
  • View the logs for the project.
  • View all services in the project.
View project integrationsproject:integrations:read
  • View all integration endpoints for a project.
Manage project integrationsproject:integrations:write
  • Add and remove integration endpoints.
  • Read and write integration secrets.
View project networkingproject:networking:read
  • View all project VPCs.
  • List all peering connections.
Manage project networkingproject:networking:write
  • Create, edit, and delete project VPCs and peering connections.
  • View all project VPCs and peering connections.
View project permissionsproject:permissions:read
  • View all users granted permissions to a project.
View servicesproject:services:read
  • View all details for services in a project, except the service logs.
Manage servicesproject:services:write
  • Create and delete services.
  • Power on and off services.
  • Add and remove dynamic disk sizing and tiered storage.
  • Change service plans.
  • Change cloud regions.
  • Create a fork of a service within the same project.
Manage service configurationservice:configuration:write
  • Change clouds and regions.
  • Change deployment models.
  • Update IP allowlists.
  • Change the network configuration options.
  • Add and remove service tags.
  • Enable and disable termination protection.
  • Configure backup settings.
  • Add and remove service contacts.
Access dataservice:data:write
  • Perform service queries through the API and Console.
  • View query statistics and current queries.
  • Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes.
View service logsservice:logs:read
  • View logs for all services in the project.
Service logs may contain sensitive information.
View configuration secretsservice:secrets:read
  • Read service configuration secrets such as keys.
Manage service usersservice:users:write
  • Create and delete service users.
  • View all service users.
  • View, update, and reset connection information for services.