Roles & RBAC¶
b'nerd Cloud uses a preset-based RBAC model. Every member of an organization has a role and a set of fine-grained permissions. Permissions are stored as a JSONB hash keyed by category and contain a list of allowed actions.
Roles¶
| Role | Description |
|---|---|
| Admin | Full access to all resources. Bypasses per-category permission checks. |
| Member | Access limited to the explicit permissions on their membership. |
There are always at least two accounts with the Admin role in a healthy organization — the platform prevents you from removing the last admin.
Permission categories¶
Each membership carries permissions across eight categories:
| Category | Controls access to |
|---|---|
projects | Create, update, and delete projects |
openstack | Compute (VMs, volumes, networks, etc.) |
garden | Kubernetes (Gardener-managed clusters) |
rgw | Object storage (RGW users, buckets) |
apps | DPF applications |
billing | Invoices, subscriptions, payment methods |
members | Invite, update, and remove organization members |
settings | Organization settings |
Actions within a category: read, create, update, delete. The members category also has an invite and remove action.
Built-in presets¶
Apply a preset with POST /memberships/{id}/apply_preset and { "preset": "<name>" }.
admin¶
Full read/write on all categories. Even though admins bypass permission checks via their role, the preset populates permissions for UI clarity and audit trail.
| Category | Actions |
|---|---|
projects | read, create, update, delete |
openstack | read, create, update, delete |
garden | read, create, update, delete |
rgw | read, create, update, delete |
apps | read, create, update, delete |
billing | read, update |
members | read, invite, update, remove |
settings | read, update |
developer¶
Read/write on infrastructure and apps. Cannot manage billing, members, or settings.
| Category | Actions |
|---|---|
projects | read, create, update |
openstack | read, create, update |
garden | read, create, update |
rgw | read, create, update |
apps | read, create, update, delete |
billing | read |
members | read |
settings | read |
operator¶
Read-only on most resources; can update (but not create/delete) compute, Kubernetes, and apps. No write access to billing, members, or settings.
| Category | Actions |
|---|---|
projects | read |
openstack | read, update |
garden | read, update |
rgw | read |
apps | read, update |
billing | read |
members | read |
settings | read |
viewer¶
Read-only across all categories. Suitable for stakeholders who need visibility without any write access.
| Category | Actions |
|---|---|
projects | read |
openstack | read |
garden | read |
rgw | read |
apps | read |
billing | read |
members | read |
settings | read |
billing_manager¶
Read-only on infrastructure; can read and update billing. Suitable for finance team members.
| Category | Actions |
|---|---|
projects | read |
openstack | read |
garden | read |
rgw | read |
apps | read |
billing | read, update |
members | read |
settings | read |
Applying a preset via the API¶
POST /memberships/{id}/apply_preset
Authorization: Bearer <token>
Content-Type: application/json
{ "preset": "developer" }
Returns the updated membership with the new permissions. Applying a preset overwrites all existing permissions on that membership.
Listing available presets¶
Returns a map of all preset names to their permission hashes.
Custom permissions¶
Presets are a starting point. You can update individual permissions without applying a preset:
PATCH /memberships/{id}
Authorization: Bearer <token>
Content-Type: application/json
{
"membership": {
"permissions": {
"rgw": ["read", "create"],
"billing": ["read"]
}
}
}
Only the categories you include are updated — categories you omit are left unchanged.