Access Control (RBAC) Roles & Permissions
This page describes how HPE Machine Learning Data Management’s access control system works and how you can use it to manage access in HPE Machine Learning Data Management. Use RBAC to grant granular access to specific HPE Machine Learning Data Management resources.
How RBAC Works
#
Role-based Access Control works by managing access for users (human or robot) through assigned roles. Roles contain a set of granular permissions (create, read, update, delete) for a given resource. In HPE Machine Learning Data Management, resources include clusters, projects, and repositories.
A user can have many roles, and some roles encompass the permissions of other roles. For example, if you have a clusterAdmin, all other permissions belonging to more restricted roles are included.
Tip
You can use the command pachctl auth roles-for-permission <permission> to look up which roles provide a given permission.
Admin Roles
#
clusterAdmin
#
The clusterAdmin role includes all of the previous permissions, plus the following:
| Permission |
| CLUSTER_MODIFY_BINDINGS |
| CLUSTER_GET_BINDINGS |
| CLUSTER_AUTH_ACTIVATE |
| CLUSTER_AUTH_DEACTIVATE |
| CLUSTER_AUTH_GET_CONFIG |
| CLUSTER_AUTH_SET_CONFIG |
| CLUSTER_AUTH_MODIFY_GROUP_MEMBERS |
| CLUSTER_AUTH_GET_GROUPS |
| CLUSTER_AUTH_GET_GROUP_USERS |
| CLUSTER_AUTH_EXTRACT_TOKENS |
| CLUSTER_AUTH_RESTORE_TOKEN |
| CLUSTER_AUTH_ROTATE_ROOT_TOKEN |
| CLUSTER_AUTH_DELETE_EXPIRED_TOKENS |
| CLUSTER_AUTH_GET_PERMISSIONS_FOR_PRINCIPAL |
| CLUSTER_AUTH_REVOKE_USER_TOKENS |
| CLUSTER_ENTERPRISE_ACTIVATE |
| CLUSTER_ENTERPRISE_HEARTBEAT |
| CLUSTER_ENTERPRISE_GET_CODE |
| CLUSTER_ENTERPRISE_DEACTIVATE |
| CLUSTER_DELETE_ALL |
| CLUSTER_ENTERPRISE_PAUSE |
oidcAppAdmin
#
| Permission |
| CLUSTER_IDENTITY_DELETE_OIDC_CLIENT |
| CLUSTER_IDENTITY_CREATE_OIDC_CLIENT |
| CLUSTER_IDENTITY_UPDATE_OIDC_CLIENT |
| CLUSTER_IDENTITY_LIST_OIDC_CLIENTS |
| CLUSTER_IDENTITY_GET_OIDC_CLIENT |
idpAdmin
#
| Permission |
| CLUSTER_IDENTITY_CREATE_IDP |
| CLUSTER_IDENTITY_UPDATE_IDP |
| CLUSTER_IDENTITY_LIST_IDPS |
| CLUSTER_IDENTITY_GET_IDP |
| CLUSTER_IDENTITY_DELETE_IDP |
secretAdmin
#
| Permission |
| CLUSTER_CREATE_SECRET |
| CLUSTER_LIST_SECRETS |
| SECRET_INSPECT |
| SECRET_DELETE |
identityAdmin
#
| Permission |
| CLUSTER_IDENTITY_SET_CONFIG |
| CLUSTER_IDENTITY_GET_CONFIG |
licenseAdmin
#
| Permission |
| CLUSTER_LICENSE_ACTIVATE |
| CLUSTER_LICENSE_GET_CODE |
| CLUSTER_LICENSE_ADD_CLUSTER |
| CLUSTER_LICENSE_UPDATE_CLUSTER |
| CLUSTER_LICENSE_DELETE_CLUSTER |
| CLUSTER_LICENSE_LIST_CLUSTERS |
Project Roles
#
All users have the PROJECT_LIST_REPO and PROJECT_CREATE_REPO permissions by default.
Tip
You can view your access level by running the command pachctl list project and checking the ACCESS_LEVEL column.
projectViewer
#
| Permission |
| PROJECT_LIST_REPO |
projectWriter
#
The projectWriter role includes all of the projectViewer permissions, plus the following:
| Permission |
| PROJECT_CREATE_REPO |
projectOwner
#
| Permission |
| PROJECT_DELETE |
| PROJECT_MODIFY_BINDINGS |
projectCreator
#
| Permission |
| PROJECT_CREATE |
Repo Roles
#
repoReader
#
| Permission |
| REPO_READ |
| REPO_INSPECT_COMMIT |
| REPO_LIST_COMMIT |
| REPO_LIST_BRANCH |
| REPO_LIST_FILE |
| REPO_INSPECT_FILE |
| REPO_ADD_PIPELINE_READER |
| REPO_REMOVE_PIPELINE_READER |
| PIPELINE_LIST_JOB |
repoWriter
#
The repoWriter role includes all of the repoReader permissions, plus the following:
| Permission |
| REPO_WRITE |
| REPO_DELETE_COMMIT |
| REPO_CREATE_BRANCH |
| REPO_DELETE_BRANCH |
| REPO_ADD_PIPELINE_WRITER |
repoOwner
#
The repoOwner role includes all of the repoWriter and repoReader permissions, plus the following:
| Permission |
| REPO_MODIFY_BINDINGS |
| REPO_DELETE |
Misc Roles
#
debugger
#
| Permission |
| CLUSTER_DEBUG_DUMP |
| CLUSTER_GET_PACHD_LOGS |
robotUser
#
| Permission |
| CLUSTER_AUTH_GET_ROBOT_TOKEN |
pachdLogReader
#
| Permission |
| CLUSTER_GET_PACHD_LOGS |