Omnistrate RBAC¶
Overview¶
Omnistrate RBAC allows your team members to assume some predefined roles.
Note
Please note that Omnistrate RBAC for your internal teams is completely different from your customer-facing RBAC for your customers. Omnistrate platform automatically builds RBAC for your customers when you build your SaaS Product using Omnistrate. Check the Tenant Management section for details on Customer RBAC.
Organization Roles¶
Here are the roles and associated permissions for different operations:
| Organization Role | Build Side Service Access including (Pipeline, Build Service Definition, Product Tier) | Operate/Fleet Side Access | Account Config Access | User Invite Access (Access Control) | Billing Access | Service Plan Access | Resource Instance Access | Templates, Deployment Config, Image registry |
|---|---|---|---|---|---|---|---|---|
| Root | CRUDL | CRUL | CRUDL | Invite/Uninvite except root | CRUDL | RL | CRUDL | CRUDL |
| Admin | CRUDL | CRUL | RL | Invite/Uninvite except root | RL | RL | CRUDL | CRUDL |
| Service Editor | CRUDL | RL | No Access | No Access | No Access | RL | CRUDL | CRUDL |
| Service Operator | RL | CRUL | No Access | No Access | No Access | RL | CRUDL | RL |
| Service Reader | RL | RL | No Access | No Access | No Access | RL | CRUDL | RL |
Legend:
C: Create; R: Read/Describe; U: Update; D: Delete; L: List
As an example, you may want to grant Service Editor role to your development team building control plane on top of Omnistrate and Service Operator to your platform teams to operate your SaaS using Omnistrate.
Common assignment patterns¶
- Use
Service Editorfor build and release workflows that update service definitions, Plans, pipelines, and registries. - Use
Service Operatorfor day-2 operations on existing instances and deployment cells. - Use
AdminorRootfor cloud account onboarding or offboarding, organization access control, and other account-level configuration.
Practical limitations¶
- A user can hold only one organization role at a time.
- If one automation flow needs both build or release privileges and cloud-account administration, use a higher-privilege role or split the workflow across separate bot users.
- Changing a user's organization role requires removing and re-inviting that user with the new role.
Restrictions¶
A given user can only be part of one organization. If a user is created without any invitation, it will have its own default organization.
If a user is invited to an existing organization, that user will be part of that organization. If you would like to join a different organization, you need to be removed from your current organization and re-invited by the new organization you wish to join. Please be aware that during this transition, your original Omnistrate account will be deactivated, and you will need to create a new account. In other words, by moving to a new organization, you will lose access to any services or data associated with your original organization.
If this process does not align with your needs, please contact [email protected] and we're here to help.