How To: Roles, Policies & Actions (User RBAC)

You have created a User.  In order to grant Role Based permissions within Komodor, you will need to associate Roles and Policies.

 

How RBAC Works in Komodor

RBAC operates on a hierarchical permissions model, ensuring that users can only access what they are explicitly allowed to.

Component Description
Roles Entities that group users and policies. Roles align with organizational functions (e.g., DevOps team) and can be temporary or permanent.
Policies A set of actions permitted within a defined scope; where and under what conditions the role applies (e.g., by ClusterNamespaceLabels/ Annotations).
Actions The actions (tasks) a user can perform, within the specified scope of the policy. 
Users The users or service accounts assigned to roles in order to perform actions in the Komodor Application or at the cluster-level. 

 

How to find Roles, Policies and Actions in the UI

Go to Organization Settings (Gear Icon, top navigation bar).  Under Access Management select Roles or Policies

Screenshot 2026-03-13 at 9.57.28 AM.png

 

About Actions

  • Actions are series of granularly defined capabilities within Komodor 

 

About Policies

  • Policies are where you can granularly assign access to Actions
  • Roles can be associated with 1 or more Policies
  • Out of the box Policies: default-admin-v2, default-readonly-v2.

 

How to Create a New Policy

  1. In the Policies UI, Click on + New Policy

 

      2.  Give the Policy a Name and Description.

 

   3.   Optional: Add Roles.   If you would like this Policy to automatically inherit the permissions of existing Roles (and in turn, their policies), you may assign 1 or more here.   

   4. + Add Statement.  Options: Scope your Policy & Assign Actions.
  • You may define multiple Statements per Policy.
  • Statements are where you can optionally choose to restrict access based on Cluster and/or Namespace.   Statements also allow you to apply all, to all clusters
  • Once you have selected your desired scope, select the Actions from the Action list, that you want associated to this Policy.
  • Once you have Added your first Statement, in the main Policy editing page View Json will be available
  • You may also go back in and Edit the statement(s)

 

How to Edit a Policy

  1. In the Policy UI, hover in the entry of the Policy you want to edit and select the Pencil icon

 

 

About Roles

  • Users are associated to 1 or more Roles.  
  • Out of the Box Roles: account-admin.  
    • Note: you cannot edit account-admin.   If you want to have an 'administrative' role with lesser permissions, you will need to create a new role.
    • Note: The first user who creates your Komodor account will always be assigned account admin.   This role can later be changed, or assigned to other users.

 

How to Create a New Role

  1. In the Roles UI, click on + Add Role

       2.  Select one or more Policies to associate to this role.

       3.  Optional: Assign users in bulk directly to this Role

       4.  Optional:  Set this role as the default Role for new users

 

How to Edit a Role

  1. In the Role UI, hover in the entry of the Role you want to edit and select the Pencil icon

 

 

How can I restrict User Access in Komodor to a subset of clusters?  Subset of Namespaces?

Problem:  I only want developers to be able to access lower environment Clusters when they are in Komodor.

Solution: Create Polices that are scoped.   Then Create specific Roles that are mapped to those Policies.   Assign those Roles to your developers.

 

Can I create a Service Account type of user and associate it to a Role?

Example Use Case: I don't want an human user to solely have account-admin, I want a generic account assigned so that we always have access even if an employee leaves

While all user accounts require a valid email to login, we can create a generic account, assign permissions and use impersonation to access it.  Impersonation is consider a best practice as restricted to a limited set of users.

  1. Create a new User.  Call it whatever you like

  2. When you create that User, give it a fake email.    

    Example: user@test+yourdomain.com 

    An email is required for field validation, but since this user will never be authenticating through SSO, it will not matter

    3. Assign the Roles and Policies that you want it to have


Accessing the Account's permissions via Impersonation

Note: The ability to Impersonate is controlled by having the appropriate action in an associated Policy.

  1. In the Users view, find the Service Account you just created.  Hover over the Person icon on the right side of the row.

 

      2. Accept the prompt that you are going into Impersonation mode

 

     While you are Impersonating a User it will

  • Show at the top of the screen that are you in impersonation mode
  • Always Audit all actions as the Impersonated User

 

How to Leave Impersonation Mode

  1.  Click the "X" in the Red Impersonating <user>, message as displayed above.  

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.