Roles in SPIRL
SPIRL uses roles to manage permissions. The following access roles are installed by default:
- Auditor
- Operator
- Administrator
- Owner
Roles are hierarchial. In general, each subsequent role has the permissions of the previous role plus some additional permissions. For example, Operator has Auditor permissions and the ability to create and modify clusters.
Organization Roles vs. Realm Roles: Organization roles grant permissions across all trust domains and realms. Realm-specific roles (like Realm Admin) grant permissions only within assigned realms. See Realms for more information.
Realm Admin Role​
The Realm Admin role is a realm-scoped role that grants delegated administrative control over clusters within a specific realm. This role enables teams to manage their own infrastructure without requiring organization-wide Operator or Administrator permissions.
Realm Admin Capabilities:
- Create, read, update, and delete clusters within the assigned realm
- View workloads and configurations for clusters in the assigned realm
- Register new cluster versions within the assigned realm
Realm Admin Limitations:
- Cannot access clusters in other realms
- Cannot create or delete realms
- Cannot modify realm role assignments
- Cannot elevate their own privileges
Role Permissions​
The following table illustrates permissions allowed by each role:
| Auditor | Operator | Manager | Administrator | Owner | Realm Administrator 1 | |
|---|---|---|---|---|---|---|
| Invite user |
| |||||
| Change user role |
| |||||
| Delete user |
| |||||
| Create trust domain |
|
| ||||
| Delete trust domain |
|
| ||||
| List trust domains |
|
|
|
|
|
|
| Create realm |
|
| ||||
| Delete realm |
|
| ||||
| List realms |
|
|
|
|
|
|
| Assign realm roles |
|
| ||||
| Add cluster |
|
|
|
|
| |
| Disable cluster |
|
|
|
|
| |
| Delete cluster |
|
|
|
|
| |
| List clusters |
|
|
|
|
|
|
| Create trust domain deployment |
|
|
| |||
| Delete trust domain deployment |
|
|
| |||
| List trust domain deployments |
|
|
|
|
|
|
| Create service account |
|
| ||||
| List service accounts |
|
|
|
|
|
|
| Delete service account: 3 |
|
| ||||
| Create CI/CD profile |
|
|
|
| ||
| Delete CI/CD profile |
|
|
|
| ||
| List CI/CD profiles |
|
|
|
|
|
|
