Roles and permissions

To give users access to projects and services in your organizations, you grant them permissions and roles:

Permissions: Actions that a principal can perform on a resource or group of resources.
Roles: Sets of permissions that you can assign to a principal.

Principals are organization users, application users, and groups.

You can grant access to principals at the organization and project level.

To give users access to a specific service, create service users.

Organization roles and permissions

You can grant the following roles and permissions to principals at the organization level. Roles and permissions at this level apply to the organization and all units, projects, and services within it.

Organization roles

Console name	API name	Allowed actions
Organization member	None	This is the default role for all organization users. You cannot grant this role to users. All non-managed organization users can: Edit their profiles. Create organizations. Leave organizations. Add allowed authentication methods. Generate and revoke personal tokens, if allowed by the authentication policy. Enable and disable feature previews. Managed users have more restrictions.
Super admin	None	Completely unrestricted access to all organization resources and settings, including: all units and projects, billing information, the authentication policy, other super admin, organization users, application users, groups, domains, and identity providers. Rename the organization. Delete the organization.
Admin	`role:organization:admin`	Full access to the organization. View and change billing information. Change the authentication policy. Create and delete organizational units and projects. Move projects within an organization and to other organizations. Invite, deactivate, and remove organization users. Create, edit, and delete groups. Create and delete application users and their tokens. Add and remove domains. Add, enable, disable, and remove identity providers. Cannot delete an organization or manage its super admin.

Organization permissions

Console name	API name	Allowed actions
Manage application users	`organization:app_users:write`	Create, edit, and delete application users. View all application users. Generate tokens for application users that are not super admin and have not been granted any permissions. Revoke application tokens. List all application tokens.
View organization audit log	`organization:audit_logs:read`	View the audit log.
Manage domains	`organization:domains:write`	Add, edit, and remove domains. View all organization domains.
Manage groups	`organization:groups:write`	Create and delete groups. Rename groups and update group descriptions. Add organization and application users to groups that have not been granted any permissions. Remove organization and application users from groups.
Manage projects	`organization:projects:write`	Create and delete projects. Assign projects to billing groups. Add and remove project tags. Cannot otherwise access or move the project or its services.
Manage organization users	`organization:users:write`	Invite new users to the organization. View all invited users. Remove user invites. Deactivate, edit and delete managed users, including organization admin. Remove non-managed users from the organization, including organization admin. Reset passwords for managed users. View all authentication methods for an organization user. Revoke tokens for managed users. View all tokens generated by managed users.

Project roles and permissions

You can grant the following roles and permissions to principals. Roles and permissions granted at this level apply to the project and all services within it.

These permissions apply to the project API endpoint /v1/organization/{organization_id}/projects.

Project roles

Console name	API name	Permissions
Admin	`admin`	Full access to the project and all of its services.
Developer	`developer`	View project event log. View project tags. View all services in the project. Create databases. View service connection information. View integration endpoints. Remove Aiven for OpenSearch® indexes. Create and change Aiven for Apache Kafka® topics. Create and change Aiven for PostgreSQL® connection pools. Create and change service database users.
Operator	`operator`	View project audit log. Add, edit, and delete project tags. View project tags. View project permissions. Create, edit, and delete services and their configuration. Perform service maintenance updates. Create, edit, and delete project VPCs and peering connections. View project event log. Created, edit, and delete integration endpoints. Enable and disable service integrations. View integration endpoints.
Read only	`read_only`	View project event log. View project tags. View all services and their configuration. View integration endpoints.
Maintain services	`role:services:maintenance`	Perform service maintenance updates. Change maintenance windows. Upgrade service versions.
Recover services	`role:services:recover`	Add and remove dynamic disk sizing and tiered storage. Change service plans. Create a fork of a service within the same project. Promote read replicas.

Project permissions

Console name	API name	Allowed actions
View project audit logs	`project:audit_logs:read`	View the logs for the project. View all services in the project.
View project integrations	`project:integrations:read`	View all integration endpoints for a project.
Manage project integrations	`project:integrations:write`	Add and remove integration endpoints. Read and write integration secrets.
View project networking	`project:networking:read`	View all project VPCs. List all peering connections.
Manage project networking	`project:networking:write`	Create, edit, and delete project VPCs and peering connections. View all project VPCs and peering connections.
View project permissions	`project:permissions:read`	View all users granted permissions to a project.
View services	`project:services:read`	View all details for services in a project, except the service logs.
Manage services	`project:services:write`	Create and delete services. Power on and off services. Add and remove dynamic disk sizing and tiered storage. Change service plans. Change cloud regions. Create a fork of a service within the same project.
Manage service configuration	`service:configuration:write`	Change clouds and regions. Change deployment models. Update IP allowlists. Change the network configuration options. Add and remove service tags. Enable and disable termination protection. Configure backup settings. Add and remove service contacts.
Access data	`service:data:write`	Perform service queries through the API and Console. View query statistics and current queries. Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes.
View service logs	`service:logs:read`	View logs for all services in the project. Service logs may contain sensitive information.
View configuration secrets	`service:secrets:read`	Read service configuration secrets such as keys.
Manage service users	`service:users:write`	Create and delete service users. View all service users. View, update, and reset connection information for services.

Organization roles and permissions​

Organization roles​

Organization permissions​

Project roles and permissions​

Project roles​

Project permissions​