This page lists the full Kubernetes Role-Based Access Control (RBAC) permissions that PaletteAI grants to each Tenant and Project role. For an overview of each role and how OpenID Connect (OIDC) groups bind to roles, refer to the Roles and Permissions concept page.
PaletteAI manages permissions using standard Kubernetes Role-Based Access Control (RBAC), with one consistent extension: every role in PaletteAI is bound to OpenID Connect (OIDC) groups rather than to individual users. When you create a Tenant or Project, PaletteAI generates the underlying roles and role bindings automatically and connects them to the OIDC groups you specify in the Tenant's tenantRoleMapping or the Project's roleMapping. Group membership in your identity provider grants or revokes access; there are no per-user resources to maintain inside the cluster.
PaletteAI enforces Role-Based Access Control (RBAC) across the UI. Each create, edit, or delete action is available only to users whose role includes the required permission. If an action listed below is not visible in the UI, your role does not include the permission. Contact your administrator to request access. For the full list of permissions granted to each PaletteAI role, refer to the Role Permissions reference.