Roles and Permissions
Tenant Role Permissions
When you create a tenant, PaletteAI automatically creates a role named project-{project-name}-tnt-adm with the following permissions:
| Resources | Permissions | API |
|---|---|---|
Settings | * | mural.sh/v1alpha1 |
Project | * | mural.sh/v1alpha1 |
Compute | * | palette.ai/v1alpha1 |
ComputeProfile | * | palette.ai/v1alpha1 |
MLPlatform | * | palette.ai/v1alpha1 |
All OIDC groups in the tenant tenantRoleMapping are bound to this single role through one RoleBinding.
Project Role Permissions
Projects automatically create three distinct roles with escalating permissions.
Viewer Role
Can view all resources but cannot make any modifications.
| Resources | Permissions | API |
|---|---|---|
MLPlatform | get, list, watch | palette.ai/v1alpha1 |
ComputeProfile | get, list, watch | palette.ai/v1alpha1 |
Compute | get, list, watch | palette.ai/v1alpha1 |
Project | get, list, watch | mural.sh/v1alpha1 |
Settings | get, list, watch | mural.sh/v1alpha1 |
Editor Role
Can deploy and manage MLPlatforms within their assigned project.
| Resources | Permissions | API |
|---|---|---|
MLPlatform | get, list, watch, create, update, patch, delete | palette.ai/v1alpha1 |
ComputeProfile | get, list, watch, create, update, patch, delete | palette.ai/v1alpha1 |
Compute | get, list, watch, create, update, patch, delete | palette.ai/v1alpha1 |
Project | get, list, watch | mural.sh/v1alpha1 |
Settings | get, list, watch | mural.sh/v1alpha1 |
Admin Role
Full control over all resources and configurations in the project scope. * means full access to the resource.
| Resources | Permissions | API |
|---|---|---|
MLPlatform | * | palette.ai/v1alpha1 |
ComputeProfile | * | palette.ai/v1alpha1 |
Compute | * | palette.ai/v1alpha1 |
Project | get, patch, watch, update | mural.sh/v1alpha1 |
Settings | * | mural.sh/v1alpha1 |
System Roles
In the system namespace, default to mural-system, there are three roles created by default:
| Role | Purpose |
|---|---|
| Viewer | Read-only access to system definitions |
| Editor | Update access to system definitions |
| Admin | Full access to system definitions |
For each project created, role bindings are created in the mural-system namespace to grant project users access to system-level definitions, ComponentDefinitions, TraitDefinitions, and PolicyDefinitions. These role bindings map project roles to pre-existing system roles. This is what allows users to access system-level definitions in addition to project-level definitions.
Each role binding is named {project-name}-mural-project-{viewer|editor|admin} and binds the project's OIDC groups to the corresponding system role in the mural-system namespace.
Below are the permissions for each system role. As a reminder, these permissions are only applied to the mural-system namespace.
Viewer
| Resources | Permissions | API |
|---|---|---|
ComponentDefinition | get, list, watch | mural.sh/v1beta1 |
TraitDefinition | get, list, watch | mural.sh/v1beta1 |
PolicyDefinition | get, list, watch | mural.sh/v1beta1 |
DefinitionRevision | get, list, watch | mural.sh/v1beta1 |
Editor Role
| Resources | Permissions | API |
|---|---|---|
ComponentDefinition | get, list, watch | mural.sh/v1beta1 |
TraitDefinition | get, list, watch | mural.sh/v1beta1 |
PolicyDefinition | get, list, watch | mural.sh/v1beta1 |
DefinitionRevision | get, list, watch | mural.sh/v1beta1 |
Admin Role
| Resources | Permissions | API |
|---|---|---|
ComponentDefinition | get, list, watch | mural.sh/v1beta1 |
TraitDefinition | get, list, watch | mural.sh/v1beta1 |
PolicyDefinition | get, list, watch | mural.sh/v1beta1 |
DefinitionRevision | get, list, watch | mural.sh/v1beta1 |