Role-based access control (RBAC)
In RisingWave Cloud, Role-based access control (RBAC) system empowers organizations to precisely manage access permissions based on their roles. Among RisingWave Cloud users in the organization, each user is associated with a pre-defined role. The organization administrator will have permission to edit the roles of all the members, whereas other members will have access to different subsystems depending on their roles.
Security principal
A security principal refers to an entity that is authenticated and authorized to perform various operations and access resources in RisingWave Cloud. You can assign a role to any of these security principals:
- Service account: Typically represents an application. It accesses RisingWave Cloud resources on the application’s behalf, using API keys for authentication.
- User: Typically represents an individual user who interacts with resources via the user interface.
Role permissions and limitations
Below are permissions and limitations for roles to ensure that each service account or user has appropriate access tailored to their responsibilities.
To grant a role to your account, go to Organization > Role management, then click Edit roles on the right side.
| Role | Permissions | Limitations |
|---|---|---|
| OrganizationAdmin | Full control over tenants and related resources.Management of service accounts, users, invitations, and RoleBinding.Access to all billing resources. | Cannot modify their own admin RoleBinding. |
| OrganizationMember | View access to all tenants.View service accounts, users, and invitations. | No permissions for tenant-related operations (create, update, delete).No permissions for service accounts, users, or invitations operations (create, update, delete).No access to billing resources. |
| BillingManager | Full access to all billing resources. | No access to any other operations outside of billing. |
| ProjectAdmin | Full access to operations related to any tenants. | No access to billing operations, service accounts, users, or invitations. |
RoleBinding
RoleBindings ensure that only authorized entities have access to resources and operations based on their defined roles.
Prerequisite
Only the OrganizationAdmin has the permission to manage user’s RoleBinding.
Scenario
| User scenarios | Description |
|---|---|
| Invite a user to the organization | Currently, you can only invite a new user as an OrganizationMember. If you want to grant more permissions to the target user, please go to Organization > Role management > Users to modify after the user accepts the invitation. |
| Create a service account in the organization | The service account RoleBinding is used for authorization when accessing Cloud APIs using the service account’s API keys. By default, the service account is assigned the read-only OrganizationMember role. If you need to assign more permissions to the service account, please go to Organization > Role management > Service Accounts to add other roles. |
| Delete or add RoleBinding for a user | Go to Organization > Role management > Users, click the corresponding Edit Roles of the specific role. A popup window will appear, allowing you to uncheck the role or select the new ones. Click Confirm to save the change. |
| Delete or add RoleBinding for the service account | Go to Organization > Role management > Users, click the corresponding Edit Roles of the specific service account. A popup window will appear, allowing you to uncheck the role or select the new ones. Click Confirm to save the change. |
Every organization needs at least one OrganizationAdmin user. Any attempt to delete the last OrganizationAdmin RoleBinding will fail.
Role-based access control (RBAC)
In RisingWave Cloud, Role-based access control (RBAC) system empowers organizations to precisely manage access permissions based on their roles. Among RisingWave Cloud users in the organization, each user is associated with a pre-defined role. The organization administrator will have permission to edit the roles of all the members, whereas other members will have access to different subsystems depending on their roles.
Security principal
A security principal refers to an entity that is authenticated and authorized to perform various operations and access resources in RisingWave Cloud. You can assign a role to any of these security principals:
- Service account: Typically represents an application. It accesses RisingWave Cloud resources on the application’s behalf, using API keys for authentication.
- User: Typically represents an individual user who interacts with resources via the user interface.
Role permissions and limitations
Below are permissions and limitations for roles to ensure that each service account or user has appropriate access tailored to their responsibilities.
To grant a role to your account, go to Organization > Role management, then click Edit roles on the right side.
| Role | Permissions | Limitations |
|---|---|---|
| OrganizationAdmin | Full control over tenants and related resources.Management of service accounts, users, invitations, and RoleBinding.Access to all billing resources. | Cannot modify their own admin RoleBinding. |
| OrganizationMember | View access to all tenants.View service accounts, users, and invitations. | No permissions for tenant-related operations (create, update, delete).No permissions for service accounts, users, or invitations operations (create, update, delete).No access to billing resources. |
| BillingManager | Full access to all billing resources. | No access to any other operations outside of billing. |
| ProjectAdmin | Full access to operations related to any tenants. | No access to billing operations, service accounts, users, or invitations. |
RoleBinding
RoleBindings ensure that only authorized entities have access to resources and operations based on their defined roles.
Prerequisite
Only the OrganizationAdmin has the permission to manage user’s RoleBinding.
Scenario
| User scenarios | Description |
|---|---|
| Invite a user to the organization | Currently, you can only invite a new user as an OrganizationMember. If you want to grant more permissions to the target user, please go to Organization > Role management > Users to modify after the user accepts the invitation. |
| Create a service account in the organization | The service account RoleBinding is used for authorization when accessing Cloud APIs using the service account’s API keys. By default, the service account is assigned the read-only OrganizationMember role. If you need to assign more permissions to the service account, please go to Organization > Role management > Service Accounts to add other roles. |
| Delete or add RoleBinding for a user | Go to Organization > Role management > Users, click the corresponding Edit Roles of the specific role. A popup window will appear, allowing you to uncheck the role or select the new ones. Click Confirm to save the change. |
| Delete or add RoleBinding for the service account | Go to Organization > Role management > Users, click the corresponding Edit Roles of the specific service account. A popup window will appear, allowing you to uncheck the role or select the new ones. Click Confirm to save the change. |
Every organization needs at least one OrganizationAdmin user. Any attempt to delete the last OrganizationAdmin RoleBinding will fail.