Skip to content

Grants#

RBAC grants allow you to bind permissions to organizations teams, groups, and users.

Permissions define the actions that a role can perform, examples of which include reading data, modifying configurations, and managing users. Grants are used to tie permissions to organizations/teams or groups/users. Thus, when a user assumes a particular role, they assume all of the permissions that are granted to that role.

Important

Any permissions that you grant to an organization or team must be a ClusterRole object; role objects cannot be used.

By using RBAC grants effectively, organizations can enforce the principle of least privilege, reduce administrative overhead, and maintain clear, auditable access policies across their systems.

graph TD
    %% --- Define Subgraphs for layout ---
    subgraph "Grants"
        RoleView("Permission: View")
        RoleEdit("Permission: Edit")
    end

    subgraph "Roles"
        Org("Org: Mirantis")
        TeamDev("Team: Dev")
        TeamQA("Team: QA")
        TeamProd("Team: Prod")
    end

    %% --- Relationships ---
    Org --> TeamDev
    Org --> TeamQA
    Org --> TeamProd
    RoleView --> Org
    RoleEdit --> TeamDev

    %% --- Styles ---
    %% Darker Style with professional borders
    style Org fill:#2E8B57,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamDev fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamQA fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamProd fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style RoleView fill:#E9967A,stroke:#0a2e4c,stroke-width:2px,color:#000
    style RoleEdit fill:#E9967A,stroke:#0a2e4c,stroke-width:2px,color:#000

    %% Style the grant links to be Mirantis blue
    linkStyle 3 stroke:#007bff,stroke-width:2px
    linkStyle 4 stroke:#007bff,stroke-width:2px

Organizations and Teams#

You cannot provide a namespace to a grant that is applied to an organization or team. Such a grant will always follow the organization's or team's namespace rule; for example, if a organization is namespaced, the grant will also be namespaced.

Groups and Users#

In addition to organizations and teams, grants can also be assigned to groups or users. This less common use case requires that you individually manage each grant. In such instances, you can provide a namespace to direct the permissions to a specific namespace.