Role is a named collection of permissions that can be assigned to any user or team in the system. The set of actions that can be performed by a user, such as the ability to create, delete, or update configuration will depend on the permissions associated with the user’s role. Roles are global resources that are defined once. AccessBindings in each configuration group will bind a user to a specific role defined apriori.

TSB comes with the following predefined roles:

Role Permissions Description
rbac/admin * Grants full access to the target resource and its child objects
rbac/editor Read Write Create Grants read/write access to a resource and allows creating child resources
rbac/creator Read Create Useful to delegate access to a resource without giving write access to the object itself. Users with this role will be able to manage sub-resources but not the resource itself
rbac/writer Read Write Grants Read and Write access permissions
rbac/reader Read Grants read-only permissions to a resource

The following example declares a custom workspace-admin role with the ability to create, delete configurations and the ability to set RBAC policies on the groups within the workspace.

kind: Role
  name: role1
  - types:
    - apiGroup:
      - WorkspaceSetting
    - CREATE
    - READ
    - DELETE
    - WRITE


Role is a named collection of permissions that can be assigned to any user or team in the system.

Field Description Validation Rule


List of tetrateio.api.tsb.rbac.v2.Role.Rule
A set of rules that define the permissions associated with each API group.

repeated = {
  min_items: 1


The type of API resource for which the role is being created.

Field Description Validation Rule


A specific API group such as

string = {
  min_len: 1


List of string
Specific kinds of APIs under the API group. If omitted, the role will apply to all kinds under the group.


A rule defines the set of api groups

Field Description Validation Rule


List of tetrateio.api.tsb.rbac.v2.Role.ResourceType
The set of API groups and the api Kinds within the group on which this rule is applicable. If omitted, the permissions will globally apply to all resource types.


List of tetrateio.api.tsb.rbac.v2.Permission
The set of actions allowed for these APIs. The current version supports requires the kind, but this constraint will be relaxed in upcoming releases so that rules can apply globally to an entire API group.

repeated = {
  min_items: 1