Skip to content

Commit 71e7610

Browse files
eliecharraeliecharra
committed
doc(CU-869azd0ae): update meaning of system role
1 parent f047ec8 commit 71e7610

File tree

2 files changed

+19
-11
lines changed

2 files changed

+19
-11
lines changed

docs/concepts/authorization/rbac-system.md

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -208,9 +208,12 @@ Root Space
208208

209209
## Roles
210210

211-
### Predefined roles
211+
### System roles
212212

213-
Spacelift provides three predefined roles (corresponding to the legacy system roles):
213+
System roles provide standard, least-privileged permission policies for granting access to specific pieces of Spacelift functionality.
214+
For example, the `Worker pool controller` role contains the correct permissions to allow the Kubernetes controller to manage worker pools automatically.
215+
216+
System roles are immutable and cannot be modified or deleted, ensuring consistent baseline permissions across all accounts.
214217

215218
#### Space reader
216219

@@ -244,6 +247,18 @@ Spacelift provides three predefined roles (corresponding to the legacy system ro
244247
!!! info "Root Space Admin"
245248
Users with Space Admin role on the **root** space become **Root Space Admins** with account-wide privileges including SSO setup, VCS configuration, and audit trail management.
246249

250+
#### Worker pool controller
251+
252+
**Actions**:
253+
254+
- Space
255+
- Read
256+
- Workerpool
257+
- Create
258+
- Update
259+
- Delete
260+
261+
247262
### Custom roles
248263

249264
#### Create custom roles using the web UI

docs/concepts/spaces/access-control.md

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,16 +7,9 @@ specific spaces, providing precise control over who can access what resources.
77

88
## Roles and RBAC
99

10-
### Predefined roles
10+
### System roles
1111

12-
Spacelift provides three predefined roles that can be assigned to users on a space-by-space basis:
13-
14-
- **Space Reader** - View-only access to resources within the space, can add comments to runs for collaboration
15-
- **Space Writer** - Space Reader permissions + ability to trigger runs and modify environment variables
16-
- **Space Admin** - Space Writer permissions + ability to create and modify stacks and attachable entities
17-
18-
These predefined roles correspond to the legacy system roles (Read/Write/Admin) and provide a simple starting point for
19-
organizations new to RBAC.
12+
Spacelift provides [built-in system roles](../authorization/rbac-system.md#system-roles) that can be assigned to users on a space-by-space basis.
2013

2114
### Custom roles
2215

0 commit comments

Comments
 (0)