Skip to main content

RBAC Resource Names

This a list of all available resource names for the Replicated vendor role-based access control (RBAC) policy:

Integration Catalog

integration/catalog/list

Grants the holder permission to view the catalog events and triggers available for integrations.

kots

kots/app/create

When allowed, the holder will be allowed to create new applications.

kots/app/[:appId]/read

Grants the holder permission to view the application. If the holder does not have permissions to view an application, it will not appear in lists.

kots/externalregistry/list

Grants the holder the ability to list external docker registry for application(s).

kots/externalregistry/create

Grants the holder the ability to link a new external docker registry to application(s).

kots/externalregistry/[:registryName]/delete

Grants the holder the ability to delete the specified linked external docker registry in application(s).

kots/app/[:appId]/channel/create

Grants the holder the ability to create a new channel in the specified application(s).

kots/app/[:appId]/channel/[:channelId]/archive

Grants the holder permission to archive the specified channel(s) of the specified application(s).

kots/app/[:appId]/channel/[:channelId]/promote

Grants the holder the ability to promote a new release to the specified channel(s) of the specified application(s).

kots/app/[:appId]/channel/[:channelId]/update

Grants the holder permission to update the specified channel of the specified application(s).

kots/app/[:appId]/channel/[:channelId]/read

Grants the holder the permission to view information about the specified channel of the specified application(s).

kots/app/[:appId]/enterprisechannel/[:channelId]/read

Grants the holder the permission to view information about the specified enterprise channel of the specified application(s).

kots/app/[:appId]/channel/[:channelId]/releases/airgap

Grants the holder permission to trigger airgap builds for the specified channel.

kots/app/[:appId]/channel/[:channelId]/releases/airgap/download-url

Grants the holder permission to get an airgap bundle download URL for any release on the specified channel.

kots/app/[:appId]/installer/create

Grants the holder permission to create kURL installers. For more information, see Creating a kURL installer.

kots/app/[:appId]/installer/update

Grants the holder permission to update kURL installers. For more information, see Creating a kURL installer.

kots/app/[:appId]/installer/read

Grants the holder permission to view kURL installers. For more information, see Creating a kURL installer.

kots/app/[:appId]/installer/promote

Grants the holder permission to promote kURL installers to a channel. For more information, see Creating a kURL installer.

note

The kots/app/[:appId]/installer/promote policy does not grant the holder permission to view and create installers. Users must be assigned both the kots/app/[:appId]/installers and kots/app/[:appId]/installer/promote policies to have permissions to view, create, and promote installers.

kots/app/[:appId]/license/create

Grants the holder permission to create a new license in the specified application(s).

kots/app/[:appId]/license/[:customerId]/read

Grants the holder permission to view the license specified by ID. If this is denied, the licenses will not show up in search, CSV export or on the Vendor Portal, and the holder will not be able to subscribe to this license's instance notifications.

kots/app/[:appId]/license/[:customerId]/update

Grants the holder permission to edit the license specified by ID for the specified application(s).

kots/app/[:appId]/license/[:customerId]/slack-notifications/read

Grants the holder permission to view the team's Slack notification subscriptions for instances associated with the specified license.

kots/app/[:appId]/license/[:customerId]/slack-notifications/update

Grants the holder permission to edit the team's Slack notification subscriptions for instances associated with the specified license.

kots/app/[:appId]/builtin-licensefields/update

Grants the holder permission to edit the builtin license field override values for the specified application(s).

kots/app/[:appId]/builtin-licensefields/delete

Grants the holder permission to delete the builtin license field override values for the specified application(s).

kots/license/[:customerId]/airgap/password

Grants the holder permission to generate a new download portal password for the license specified (by ID) for the specified application(s).

kots/license/[:customerId]/archive

Grants the holder permission to archive the specified license (by ID).

kots/license/[:customerId]/unarchive

Grants the holder permissions to unarchive the specified license (by ID).

kots/app/[:appId]/licensefields/create

Grants the holder permission to create new license fields in the specified application(s).

kots/app/[:appId]/licensefields/read

Grants the holder permission to view the license fields in the specified application(s).

kots/app/[:appId]/licensefields/update

Grants the holder permission to edit the license fields for the specified application(s).

kots/app/[:appId]/licensefields/delete

Grants the holder permission to delete the license fields for the specified application(s).

kots/app/[:appId]/release/create

Grants the holder permission to create a new release in the specified application(s).

kots/app/[:appId]/release/[:sequence]/update

Grants the holder permission to update the files saved in release sequence [:sequence] in the specified application(s). Once a release is promoted to a channel, it's not editable by anyone.

kots/app/[:appId]/release/[:sequence]/read

Grants the holder permission to read the files at release sequence [:sequence] in the specified application(s).

kots/app/[:appId]/customhostname/list

Grants the holder permission to view custom hostnames for the team.

kots/app/[:appId]/customhostname/create

Grants the holder permission to create custom hostnames for the team.

kots/app/[:appId]/customhostname/delete

Grants the holder permission to delete custom hostnames for the team.

kots/app/[:appId]/customhostname/default/set

Grants the holder permission to set default custom hostnames.

kots/app/[:appId]/customhostname/default/unset

Grants the holder permission to unset the default custom hostnames.

kots/app/[:appId]/supportbundle/read

Grants the holder permission to view and download support bundles.

Registry

registry/namespace/:namespace/pull

Grants the holder permission to pull images from Replicated registry.

registry/namespace/:namespace/push

Grants the holder permission to push images into Replicated registry.

Compatibility Matrix

kots/cluster/create

Grants the holder permission to create new clusters.

kots/cluster/list

Grants the holder permission to list running and terminated clusters.

kots/cluster/[:clusterId]

Grants the holder permission to get cluster details.

kots/cluster/[:clusterId]/upgrade

Grants the holder permission to upgrade a cluster.

kots/cluster[:clusterId]/kubeconfig

Grants the holder permision to get the kubeconfig for a cluster.

kots/cluster/[:clusterId]/delete

Grants the holder permission to delete a cluster.

Team

team/auditlog/read

Grants the holder permission to view the audit log for the team.

team/authentication/update

Grants the holder permission to manage the following team authentication settings: Google authentication, Auto-join, and SAML authentication.

team/authentication/read

Grants the holder permission to read the following authentication settings: Google authentication, Auto-join, and SAML authentication.

team/integration/list

Grants the holder permission to view team's integrations.

team/integration/create

Grants the holder permission to create an integration.

team/integration/[:integrationId]/delete

Grants the holder permission to delete specified integration(s).

team/integration/[:integrationId]/update

Grants the holder permission to update specified integration(s).

team/members/list

Grants the holder permission to list team members and invitations.

team/member/invite

Grants the holder permission to invite additional people to the team.

team/members/delete

Grants the holder permission to delete other team members.

team/notifications/slack-webhook/read

Grants the holder permission to view the team's Slack webhook for instance notifications.

team/notifications/slack-webhook/update

Grants the holder permission to edit the team's Slack webhook for instance notifications.

team/policy/read

Grants the holder permission to view RBAC policies for the team.

team/policy/update

Grants the holder permission to update RBAC policies for the team.

team/policy/delete

Grants the holder permission to delete RBAC policies for the team.

team/policy/create

Grants the holder permission to create RBAC policies for the team.

team/security/update

Grants the holder permission to manage team password requirements including two-factor authentication and password complexity requirements.

team/serviceaccount/list

Grants the holder permission to list service accounts.

team/serviceaccount/create

Grants the holder permission to create new service accounts.

team/serviceaccount/[:name]/delete

Grants the holder permission to delete the service account identified by the name specified.

team/support-issues/read

Grants the holder Read permissions in the Replicated collab repository in GitHub for the Vendor Portal team. Applies after the user adds their GitHub username to the Vendor Portal Account Settings page.

To prevent access to the collab repository for an RBAC policy, add team/support-issues/read to the denied: list in the policy. For example:

{
"v1": {
"name": "Policy Name",
"resources": {
"allowed": [],
"denied": [
"team/support-issues/read"
]
}
}
}

For more information about the Read role in GitHub, see Permissions for each role in the GitHub documentation.

important

When you update an existing RBAC policy to add one or more team/support-issues resource, the GitHub role in the Replicated collab repository of every team member that is assigned to that policy and has a GitHub username saved in their account is updated accordingly.

team/support-issues/write

Grants the holder Write permissions in the Replicated collab repository in GitHub for the Vendor Portal team. Applies after the user adds their GitHub username to the Vendor Portal Account Settings page.

For more information about the Write role in GitHub, see Permissions for each role in the GitHub documentation.

important

When you update an existing RBAC policy to add one or more team/support-issues resource, the GitHub role in the Replicated collab repository of every team member that is assigned to that policy and has a GitHub username saved in their account is updated accordingly.

team/support-issues/triage

Grants the holder Triage permissions in the Replicated collab repository in GitHub for the Vendor Portal team. Applies after the user adds their GitHub username to the Vendor Portal Account Settings page.

For more information about the Triage role in GitHub, see Permissions for each role in the GitHub documentation.

important

When you update an existing RBAC policy to add one or more team/support-issues resource, the GitHub role in the Replicated collab repository of every team member that is assigned to that policy and has a GitHub username saved in their account is updated accordingly.

team/support-issues/admin

Grants the holder Admin permissions in the Replicated collab repository in GitHub for the Vendor Portal team. Applies after the user adds their GitHub username to the Vendor Portal Account Settings page.

For more information about the Admin role in GitHub, see Permissions for each role in the GitHub documentation.

important

When you update an existing RBAC policy to add one or more team/support-issues resource, the GitHub role in the Replicated collab repository of every team member that is assigned to that policy and has a GitHub username saved in their account is updated accordingly.

User

user/token/list

Grants the holder permission to list user tokens.

user/token/create

Grants the holder permission to create new user tokens.

user/token/delete

Grants the holder permission to delete user tokens.