Roles and Permissions
Tenant Role Permissions
When you create a tenant, PaletteAI automatically creates a role named project-{project-name}-tnt-adm with the following permissions. * means the role has full access to the resource.
| Resources | Permissions | API |
|---|---|---|
AIWorkload | * | spectrocloud.com/v1alpha1 |
ComponentDefinition | * | spectrocloud.com/v1beta1 |
Compute | * | spectrocloud.com/v1alpha1 |
ComputeConfig | * | spectrocloud.com/v1alpha1 |
ComputePool | * | spectrocloud.com/v1alpha1 |
DefinitionRevision | * | spectrocloud.com/v1beta1 |
Environment | * | spectrocloud.com/v1alpha1 |
Hub | * | fleetconfig.open-cluster-management.io/v1beta1 |
PolicyDefinition | * | spectrocloud.com/v1beta1 |
ProfileBundle | * | spectrocloud.com/v1beta1 |
Project | * | spectrocloud.com/v1alpha1 |
Settings | * | spectrocloud.com/v1alpha1 |
Spoke | * | fleetconfig.open-cluster-management.io/v1beta1 |
TraitDefinition | * | spectrocloud.com/v1beta1 |
VariableSet | * | spectrocloud.com/v1beta1 |
Workload | * | spectrocloud.com/v1beta1 |
WorkloadDeployment | * | spectrocloud.com/v1beta1 |
WorkloadProfile | * | spectrocloud.com/v1beta1 |
All OpenID Connect (OIDC) groups in the tenant tenantRoleMapping are bound to this single role through one RoleBinding.
Project Role Permissions
Projects automatically create three distinct roles with escalating permissions.
Viewer Role Permissions
The viewer role can view all resources but cannot make any modifications.
| Resources | Permissions | API |
|---|---|---|
AIWorkload | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
Compute | get, list, watch | spectrocloud.com/v1alpha1 |
ComputeConfig | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePool | get, list, watch | spectrocloud.com/v1alpha1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
Environment | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch | spectrocloud.com/v1beta1 |
Project | get, list, watch | spectrocloud.com/v1alpha1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
VariableSet | get, list, watch | spectrocloud.com/v1beta1 |
Workload | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch | spectrocloud.com/v1beta1 |
Editor Role Permissions
The editor role can deploy and manage AI Workloads within their assigned project.
| Resources | Permissions | API |
|---|---|---|
AIWorkload | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
Compute | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComputeConfig | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComputePool | get, list, watch, | spectrocloud.com/v1alpha1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
Environment | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch, create, update, patch, delete | spectrocloud.com/v1beta1 |
Project | get, list, watch | spectrocloud.com/v1alpha1 |
Settings | get, list, watch, | spectrocloud.com/v1alpha1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
VariableSet | get, list, watch, update, patch | spectrocloud.com/v1beta1 |
Workload | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch, create, update, patch, delete | spectrocloud.com/v1beta1 |
Admin Role Permissions
The admin role has full control over all resources and configurations in the project scope. * means the role has full access to the resource.
| Resources | Permissions | API |
|---|---|---|
AIWorkload | * | spectrocloud.com/v1alpha1 |
ComponentDefinition | * | spectrocloud.com/v1beta1 |
Compute | * | spectrocloud.com/v1alpha1 |
ComputeConfig | * | spectrocloud.com/v1alpha1 |
ComputePool | * | spectrocloud.com/v1alpha1 |
DefinitionRevision | * | spectrocloud.com/v1beta1 |
Environment | * | spectrocloud.com/v1beta1 |
PolicyDefinition | * | spectrocloud.com/v1beta1 |
ProfileBundle | * | spectrocloud.com/v1beta1 |
Project | get, list, patch, watch, update | spectrocloud.com/v1alpha1 |
Settings | * | spectrocloud.com/v1alpha1 |
TraitDefinition | * | spectrocloud.com/v1beta1 |
VariableSet | * | spectrocloud.com/v1beta1 |
Workload | * | spectrocloud.com/v1beta1 |
WorkloadDeployment | * | spectrocloud.com/v1beta1 |
WorkloadProfile | * | spectrocloud.com/v1beta1 |
System Roles
In the system namespace, which defaults to mural-system, three roles are created by default:
| Role | Purpose |
|---|---|
| Viewer | Read-only access to system definitions |
| Editor | Update access to system definitions |
| Admin | Full access to system definitions |
For each project created, role bindings are created in the mural-system namespace to grant project users access to system-level definitions, ComponentDefinitions, TraitDefinitions, and PolicyDefinitions. These role bindings map project roles to pre-existing system roles, allowing users to access system-level definitions in addition to project-level definitions.
Each role binding is named {project-name}-mural-project-{viewer|editor|admin} and binds the project's OIDC groups to the corresponding system role in the mural-system namespace.
Following are the permissions for each system role. These permissions are applied to the mural-system namespace only.
Viewer Role Permissions
| Resources | Permissions | API |
|---|---|---|
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
Editor Role Permissions
| Resources | Permissions | API |
|---|---|---|
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
Admin Role Permissions
| Resources | Permissions | API |
|---|---|---|
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |