User role authorization by use case
Authorization of these user roles follows a Role-based Access Control (RBAC) model with the restrictions applying to a specific scope—either within one project or within one account.
The following list does not cover Postgres cluster database authorization.
As of now, you cannot create custom roles. There are only these 11 predefined roles available:
| Permissions | Org admin | Org owner | Platform admin | GenAI Builder user | Project owner | Project editor | Project viewer | Estate ingester | Catalog data reader | Catalog data writer |
|---|---|---|---|---|---|---|---|---|---|---|
| Access GenAI Builder (launchpad) | X | |||||||||
| Configure GenAI Builder | X | |||||||||
| Access Ops apps (launchpad) | X | |||||||||
| View projects within the org | X | X | ||||||||
| Update and delete projects | X | |||||||||
| View roles assigned at the project level | X | X | X | X | ||||||
| View activity log for the org | X | X | ||||||||
| View and download usage report for the project | X | X | X | |||||||
| View and download usage report the the org | X | X | ||||||||
| Create projects within the org | X | |||||||||
| Assign project roles | X | X | ||||||||
| Create, edit, and delete clusters | X | X | ||||||||
| View clusters, backups, estates, and migrations | X | X | X | |||||||
| Assign org roles | X | |||||||||
| View activity log for the project | X | X | X | |||||||
| View, edit, and delete owned projects | X | |||||||||
| Ingest self-managed Postgres cluster data | X* | |||||||||
| Create, update, and delete catalog | X | X | ||||||||
| Read catalog | X | |||||||||
| Read Iceberg data | X | X | ||||||||
| Write and delete Iceberg data | X |
- Only machine-users can be assigned to ingest self-managed cluster data.
← Prev
User roles and authorization
↑ Up
User roles and authorization
Next →
Monitoring with Hybrid Manager
Could this page be better? Report a problem or suggest an addition!