Omnistrate RBAC¶
Omnistrate RBAC allows your team members to assume some predefined roles.
Note
Please note that Omnistrate RBAC for your internal teams is completely different from your customer-facing RBAC for your customers. Omnistrate platform automatically builds RBAC for your customers when you build your SaaS Product using Omnistrate. Check the Tenant Management section for details on Customer RBAC.
Organization Roles¶
Here are the roles and associated permissions for different operations:
| Organization Role | Build Side Service Access including (Pipeline, Build Service Definition, Product Tier) | Operate/Fleet Side Access | Account Config Access | User Invite Access (Access Control) | Billing Access | Service Plan Access | Resource Instance Access | Templates, Deployment Config, Image registry |
|---|---|---|---|---|---|---|---|---|
| Root | CRUDL | CRUL | CRUDL | Invite/Uninvite except root | CRUDL | RL | CRUDL | CRUDL |
| Admin | CRUDL | CRUL | RL | Invite/Uninvite except root | RL | RL | CRUDL | CRUDL |
| Service Editor | CRUDL | RL | No Access | No Access | No Access | RL | CRUDL | CRUDL |
| Service Operator | RL | CRUL | No Access | No Access | No Access | RL | CRUDL | RL |
| Service Reader | RL | RL | No Access | No Access | No Access | RL | CRUDL | RL |
Legend:
C: Create; R: Read/Describe; U: Update; D: Delete; L: List
As an example, you may want to grant Service Editor role to your development team building control plane on top of Omnistrate and Service Operator to your platform teams to operate your SaaS using Omnistrate.
Restrictions¶
A given user can only be part of one organization. If a user is created without any invitation, it will have its own default organization.
If a user is invited to an existing organization, that user will be part of that organization. If you would like to join a different organization, you need to be removed from your current organization and re-invited by the new organization you wish to join. Please be aware that during this transition, your original Omnistrate account will be deactivated, and you will need to create a new account. In other words, by moving to a new organization, you will lose access to any services or data associated with your original organization.
If this process does not align with your needs, please contact support@omnistrate.com and we're here to help.