This page lists the full Kubernetes Role-Based Access Control (RBAC) permissions that PaletteAI grants to each Tenant and Project role. For an overview of each role and how OpenID Connect (OIDC) groups bind to roles, refer to the Roles and Permissions concept page.
PaletteAI manages permissions using standard Kubernetes Role-Based Access Control (RBAC), with one consistent extension: every role in PaletteAI is bound to OpenID Connect (OIDC) groups rather than to individual users. When you create a Tenant or Project, PaletteAI generates the underlying roles and role bindings automatically and connects them to the OIDC groups you specify in the Tenant's tenantRoleMapping or the Project's roleMapping. Group membership in your identity provider grants or revokes access; there are no per-user resources to maintain inside the cluster.