Roles in Defakto
Defakto uses roles to manage permissions. The following access roles are installed by default:
- Auditor
- Operator
- Manager
- Administrator
- Owner
Roles are hierarchical. Each subsequent role has the permissions of the previous role plus additional permissions. For example, Operator has Auditor permissions and the ability to create and modify clusters.
Organization Roles vs. Realm Roles: Organization roles grant permissions across all trust domains and realms. Realm-specific roles (like Realm Admin) grant permissions only within assigned realms. See Realms for more information.
Realm Admin Role
The Realm Admin role is a realm-scoped role that grants delegated administrative control over clusters within a specific realm. This role enables teams to manage their own infrastructure without requiring organization-wide Operator or Administrator permissions.
Realm Admin Capabilities:
- Create, read, update, and delete clusters within the assigned realm
- View workloads and configurations for clusters in the assigned realm
- Register new cluster versions within the assigned realm
Realm Admin Limitations:
- Cannot access clusters in other realms
- Cannot create or delete realms
- Cannot modify realm role assignments
- Cannot elevate their own privileges
Role Permissions
The tables below list permissions by feature area. Realm Admin is always assigned on top of an existing organization role. The Realm Admin column reflects a user with the minimum Auditor organization role — such a user inherits all Auditor permissions plus the realm-scoped cluster operations noted below.1
Users & Invitations
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List users |  | | | | | |
| View organization settings | | | | | | |
| Update organization settings | | | ||||
| Invite user | | |||||
| Renew / delete user invitation | | |||||
| List user invitations | | |||||
| Change user role | | |||||
| Delete user | |
Role Assignments
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List roles | | | | | | |
| List role assignments | | | | | | |
| Assign / remove role assignments | | |
Service Accounts
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| View service account info | | | | | | |
| List service accounts | | | | | | |
| Create service account 2 | | | ||||
| Delete service account | | |
Trust Domains
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List trust domains | | | | | | |
| View trust domain info and signing authority status | | | | | | |
| List trust domain keys | | | | | | |
| Create / enable / disable / delete trust domain keys | | | | |||
| List trust domain deployments | | | | | | |
| Manage deployment key sets (prepare / activate / taint / remove) | | | | |||
| Create / register / update trust domain | | | ||||
| Delete trust domain | | | ||||
| Delete trust domain deployment | | |
Clusters
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List / describe clusters | | | | | | |
| List cluster versions | | | | | | |
| Create cluster | | | | | 3 | |
| Create / activate / deactivate cluster versions | | | | | 3 | |
| Delete cluster / cluster version | | | | | 3 |
Realms
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List realms | | | | | | |
| Create / delete realm | | | ||||
| Assign / remove realm roles | | |
Federation
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List federation links | | | | | | |
| Refresh federation link | | | | | ||
| Create / delete federation link | | |
CI/CD Profiles
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| List CI/CD profiles and links | | | | | | |
| Create / delete CI/CD profile | | | | | ||
| Link / unlink CI/CD profile | | | | |
Developer Identity
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| View unified access status | | | | | | |
| List developer identity policies | | | | | | |
| Add / update / delete developer identity policy | | | ||||
| Enable / disable developer identity policy | | | ||||
| Manage developer identity OIDC configurations | | |
Managed Config
| Auditor | Operator | Manager | Administrator | Owner | Realm Admin | |
|---|---|---|---|---|---|---|
| View organization config | | | | | | |
| View trust domain config | | | | | | |
| View trust domain deployment config | | | | | | |
| View cluster config / history / versions | | | | | | |
| Diff config versions | | | | | | |
| Update cluster config | | | | | 3 | |
| Update organization config | | | ||||
| Update trust domain config | | | ||||
| Update trust domain deployment config | | |