Roles and Permissions
Tenant Role Permissions
When you create a tenant, PaletteAI automatically creates a role named prj-{project-name}-tnt-adm in each project namespace with the following permissions. * means the role has full access to the resource.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | * | v1 |
Event | * | v1 |
PersistentVolumeClaim | * | v1 |
Pod | * | v1 |
Secret | * | v1 |
Service | * | v1 |
ServiceAccount | * | v1 |
| All resources | * | apps |
HelmRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
AIWorkload | * | spectrocloud.com/v1alpha1 |
Compute | * | spectrocloud.com/v1alpha1 |
ComputeConfig | * | spectrocloud.com/v1alpha1 |
ComputePool | * | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | * | spectrocloud.com/v1alpha1 |
Project | * | spectrocloud.com/v1alpha1 |
ScalingPolicy | * | spectrocloud.com/v1alpha1 |
Settings | * | spectrocloud.com/v1alpha1 |
ComponentDefinition | * | spectrocloud.com/v1beta1 |
DefinitionRevision | * | spectrocloud.com/v1beta1 |
Environment | * | spectrocloud.com/v1beta1 |
PolicyDefinition | * | spectrocloud.com/v1beta1 |
ProfileBundle | * | spectrocloud.com/v1beta1 |
TraitDefinition | * | spectrocloud.com/v1beta1 |
VariableSet | * | spectrocloud.com/v1beta1 |
Workload | * | spectrocloud.com/v1beta1 |
WorkloadDeployment | * | spectrocloud.com/v1beta1 |
WorkloadProfile | * | spectrocloud.com/v1beta1 |
Hub | * | fleetconfig.open-cluster-management.io/v1beta1 |
Spoke | * | fleetconfig.open-cluster-management.io/v1beta1 |
All OpenID Connect (OIDC) groups in the tenant tenantRoleMapping are bound to this single role through one RoleBinding.
Tenant Admin Cluster Permissions
Tenant admins also receive a ClusterRole named mural-tenant-admin with create-only permissions, enabling project and resource creation cluster-wide.
| Resources | Permissions | API |
|---|---|---|
Secret | create | v1 |
ComputeConfig | create | spectrocloud.com/v1alpha1 |
Project | create | spectrocloud.com/v1alpha1 |
Settings | create | spectrocloud.com/v1alpha1 |
Tenant Namespace Permissions
All project users (viewers, editors, admins, and tenant admins) receive view-only access to the tenant namespace through a role named mural-tenant-viewer. This enables access to tenant-level configuration such as settings and secrets.
| Resources | Permissions | API |
|---|---|---|
Secret | get, list, watch | v1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
Project Role Permissions
Projects automatically create three distinct roles with escalating permissions.
Viewer Role Permissions
The viewer role can view all resources but cannot make any modifications.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | get, list, watch | v1 |
Event | get, list, watch | v1 |
PersistentVolumeClaim | get, list, watch | v1 |
Pod | get, list, watch | v1 |
Secret | get, list, watch | v1 |
Service | get, list, watch | v1 |
ServiceAccount | get, list, watch | v1 |
| All resources | get, list, watch | apps |
HelmRepository | get, list, watch | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch | source.toolkit.fluxcd.io |
AIWorkload | get, list, watch | spectrocloud.com/v1alpha1 |
Compute | get, list, watch | spectrocloud.com/v1alpha1 |
ComputeConfig | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePool | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | get, list, watch | spectrocloud.com/v1alpha1 |
Project | get, list, watch | spectrocloud.com/v1alpha1 |
ScalingPolicy | get, list, watch | spectrocloud.com/v1alpha1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
Environment | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
VariableSet | get, list, watch | spectrocloud.com/v1beta1 |
Workload | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch | spectrocloud.com/v1beta1 |
Editor Role Permissions
The editor role can deploy and manage AI Workloads within their assigned project.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | get, list, watch, create, update, patch, delete | v1 |
Event | get, list, watch, create, update, patch, delete | v1 |
PersistentVolumeClaim | get, list, watch, create, update, patch, delete | v1 |
Pod | get, list, watch, create, update, patch, delete | v1 |
Secret | get, list, watch, create, update, patch, delete | v1 |
Service | get, list, watch, create, update, patch, delete | v1 |
ServiceAccount | get, list, watch, create, update, patch, delete | v1 |
| All resources | get, list, watch, create, update, patch, delete | apps |
HelmRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
AIWorkload | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
Compute | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComputeConfig | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComputePool | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
Project | get, list, watch | spectrocloud.com/v1alpha1 |
ScalingPolicy | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
Environment | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch, create, update, patch, delete | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
VariableSet | get, list, watch, update, patch | spectrocloud.com/v1beta1 |
Workload | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch, create, update, patch, delete | spectrocloud.com/v1beta1 |
Admin Role Permissions
The admin role has full control over all resources and configurations in the project scope. * means the role has full access to the resource.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | * | v1 |
Event | * | v1 |
PersistentVolumeClaim | * | v1 |
Pod | * | v1 |
Secret | * | v1 |
Service | * | v1 |
ServiceAccount | * | v1 |
| All resources | * | apps |
HelmRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
AIWorkload | * | spectrocloud.com/v1alpha1 |
Compute | * | spectrocloud.com/v1alpha1 |
ComputeConfig | * | spectrocloud.com/v1alpha1 |
ComputePool | * | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | * | spectrocloud.com/v1alpha1 |
Project | get, list, patch, watch, update | spectrocloud.com/v1alpha1 |
ScalingPolicy | * | spectrocloud.com/v1alpha1 |
Settings | * | spectrocloud.com/v1alpha1 |
ComponentDefinition | * | spectrocloud.com/v1beta1 |
DefinitionRevision | * | spectrocloud.com/v1beta1 |
Environment | * | spectrocloud.com/v1beta1 |
PolicyDefinition | * | spectrocloud.com/v1beta1 |
ProfileBundle | * | spectrocloud.com/v1beta1 |
TraitDefinition | * | spectrocloud.com/v1beta1 |
VariableSet | * | spectrocloud.com/v1beta1 |
Workload | * | spectrocloud.com/v1beta1 |
WorkloadDeployment | * | spectrocloud.com/v1beta1 |
WorkloadProfile | * | spectrocloud.com/v1beta1 |
System Roles
In the system namespace, which defaults to mural-system, three roles are created by default:
| Role | Purpose |
|---|---|
| Viewer | Read-only access to system definitions |
| Editor | Read-only access to system definitions |
| Admin | Read-only access to system definitions |
All three system roles share the same read-only permissions. For each project created, role bindings are created in the mural-system namespace to grant project users access to system-level definitions. These role bindings map project roles to pre-existing system roles, allowing users to access system-level definitions in addition to project-level definitions.
Each role binding is named {project-name}-mural-project-{viewer|editor|admin} and binds the project's OIDC groups to the corresponding system role in the mural-system namespace.
Following are the permissions for each system role. These permissions are applied to the mural-system namespace only.
| Resources | Permissions | API |
|---|---|---|
ScalingPolicy | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch | spectrocloud.com/v1beta1 |