Skip to content

doc(CU-869azd0ae): update meaning of system role #948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 30, 2025
Merged

doc(CU-869azd0ae): update meaning of system role #948

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions docs/concepts/authorization/rbac-system.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,9 +208,12 @@ Root Space

## Roles

### Predefined roles
### System roles

Spacelift provides three predefined roles (corresponding to the legacy system roles):
System roles provide standard, least-privileged permission policies for granting access to specific pieces of Spacelift functionality.
For example, the `Worker pool controller` role contains the correct permissions to allow the Kubernetes controller to manage worker pools automatically.

System roles are immutable and cannot be modified or deleted, ensuring consistent baseline permissions across all accounts.

#### Space reader

Expand Down Expand Up @@ -244,6 +247,17 @@ Spacelift provides three predefined roles (corresponding to the legacy system ro
!!! info "Root Space Admin"
Users with Space Admin role on the **root** space become **Root Space Admins** with account-wide privileges including SSO setup, VCS configuration, and audit trail management.

#### Worker pool controller

**Actions**:

- Space
- Read
- Workerpool
- Create
- Update
- Delete

### Custom roles

#### Create custom roles using the web UI
Expand Down
11 changes: 2 additions & 9 deletions docs/concepts/spaces/access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,9 @@ specific spaces, providing precise control over who can access what resources.

## Roles and RBAC

### Predefined roles
### System roles

Spacelift provides three predefined roles that can be assigned to users on a space-by-space basis:

- **Space Reader** - View-only access to resources within the space, can add comments to runs for collaboration
- **Space Writer** - Space Reader permissions + ability to trigger runs and modify environment variables
- **Space Admin** - Space Writer permissions + ability to create and modify stacks and attachable entities

These predefined roles correspond to the legacy system roles (Read/Write/Admin) and provide a simple starting point for
organizations new to RBAC.
Spacelift provides [built-in system roles](../authorization/rbac-system.md#system-roles) that can be assigned to users on a space-by-space basis.

### Custom roles

Expand Down
Loading