diff --git a/docs/concepts/authorization/rbac-system.md b/docs/concepts/authorization/rbac-system.md index 842226285..e33d67b3d 100644 --- a/docs/concepts/authorization/rbac-system.md +++ b/docs/concepts/authorization/rbac-system.md @@ -208,9 +208,12 @@ Root Space ## Roles -### Predefined roles +### System roles -Spacelift provides three predefined roles (corresponding to the legacy system roles): +System roles provide standard, least-privileged permission policies for granting access to specific pieces of Spacelift functionality. +For example, the `Worker pool controller` role contains the correct permissions to allow the Kubernetes controller to manage worker pools automatically. + +System roles are immutable and cannot be modified or deleted, ensuring consistent baseline permissions across all accounts. #### Space reader @@ -244,6 +247,17 @@ Spacelift provides three predefined roles (corresponding to the legacy system ro !!! info "Root Space Admin" Users with Space Admin role on the **root** space become **Root Space Admins** with account-wide privileges including SSO setup, VCS configuration, and audit trail management. +#### Worker pool controller + +**Actions**: + +- Space + - Read +- Workerpool + - Create + - Update + - Delete + ### Custom roles #### Create custom roles using the web UI diff --git a/docs/concepts/spaces/access-control.md b/docs/concepts/spaces/access-control.md index a6579b8f2..b12d7e1e0 100644 --- a/docs/concepts/spaces/access-control.md +++ b/docs/concepts/spaces/access-control.md @@ -7,16 +7,9 @@ specific spaces, providing precise control over who can access what resources. ## Roles and RBAC -### Predefined roles +### System roles -Spacelift provides three predefined roles that can be assigned to users on a space-by-space basis: - -- **Space Reader** - View-only access to resources within the space, can add comments to runs for collaboration -- **Space Writer** - Space Reader permissions + ability to trigger runs and modify environment variables -- **Space Admin** - Space Writer permissions + ability to create and modify stacks and attachable entities - -These predefined roles correspond to the legacy system roles (Read/Write/Admin) and provide a simple starting point for -organizations new to RBAC. +Spacelift provides [built-in system roles](../authorization/rbac-system.md#system-roles) that can be assigned to users on a space-by-space basis. ### Custom roles