Skip to content

Grants#

RBAC grants allow you to bind permissions to organizations teams, groups, and users.

Permissions define the actions that a role can perform, examples of which include reading data, modifying configurations, and managing users. Grants are used to tie permissions between organizations and teams or between groups and users. Thus, when a user assumes a particular role, they assume all of the permissions that are granted to that role.

By using RBAC grants effectively, organizations can enforce the principle of least privilege, reduce administrative overhead, and maintain clear, auditable access policies across their systems.

graph TD
    %% --- Define Subgraphs for layout ---
    subgraph "Grants"
        RoleView("Permission: View")
        RoleEdit("Permission: Edit")
    end

    subgraph "Roles"
        Org("Org: Mirantis")
        TeamDev("Team: Dev")
        TeamQA("Team: QA")
        TeamProd("Team: Prod")
    end

    %% --- Relationships ---
    Org --> TeamDev
    Org --> TeamQA
    Org --> TeamProd
    RoleView --> Org
    RoleEdit --> TeamDev

    %% --- Styles ---
    %% Darker Style with professional borders
    style Org fill:#2E8B57,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamDev fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamQA fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamProd fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style RoleView fill:#E9967A,stroke:#0a2e4c,stroke-width:2px,color:#000
    style RoleEdit fill:#E9967A,stroke:#0a2e4c,stroke-width:2px,color:#000

    %% Style the grant links to be Mirantis blue
    linkStyle 3 stroke:#007bff,stroke-width:2px
    linkStyle 4 stroke:#007bff,stroke-width:2px

Organizations and teams#

You can provide a grant to a Role or a ClusterRole for assignment to an organization or a team. All members of each team under the selected organization, or the explicitly selected team, are automatically granted permissions from that Role or the ClusterRole.

Groups and users#

In addition to organizations and teams, grants can also be assigned to groups or users. This less common use case requires that you individually manage each grant. In such instances, you can provide a namespace to direct the permissions to a specific namespace.