Managing project users
Access to projects is managed by granting users roles. The following roles exist: admin, developer, viewer and backoffice.
Permission: | admin | developer | viewer | backoffice |
---|---|---|---|---|
View project |
✅ |
✅ |
✅ |
✅ |
Admin project |
✅ |
❌ |
❌ |
❌ |
View services |
✅ |
✅ |
✅ |
❌ |
Deploy services |
✅ |
✅ |
❌ |
❌ |
Update services |
✅ |
✅ |
❌ |
❌ |
Delete services |
✅ |
❌ |
❌ |
❌ |
View routes |
✅ |
✅ |
✅ |
❌ |
Manage routes |
✅ |
✅ |
❌ |
❌ |
View secrets |
✅ |
✅ |
✅ |
❌ |
Manage secrets |
✅ |
✅ |
❌ |
❌ |
Backoffice functions |
✅ |
❌ |
❌ |
✅ |
Backoffice functions include the ability to view entity event logs and values directly, the ability to invoke methods on services even when not exposed to the internet or protected by ACLs, and the ability to manage projections.
Listing role bindings
You can list the role bindings in a project by running kalix roles list-bindings
:
$ kalix roles list-bindings
ROLE BINDING ID ROLE USERNAME EMAIL NAME
fd21044c-b973-4220-8f65-0f7d317bb23b developer jane.citizen jane.citizen@example.com Jane Citizen
120b75b6-6b53-4ebb-b23b-2272be974966 admin john.smith john.smith@example.com John Smith
This shows a list of all the role bindings in the project.
Granting a role
There are two ways to grant a role to a user. The first is to invite them to join the project using their email address.
To send an invitation, use the kalix roles invitations invite-user
command:
kalix roles invitations invite-user <email address> --role <role>
The user will then receive an email inviting them to join the project. If they accept the invitation, a role binding will be created for them with the specified role.
If the user is already either a member of the project, and you want to grant them additional roles, or the project is owned by an organization, and the user is a member of that organization, you can add them directly without sending them an invite and requiring them to accept it, by either passing their username or email address, using the kalix roles add-binding
command.
To add a role to a user by email address:
kalix roles add-binding --email <email address> --role <role>
To add a role to a user by username:
kalix roles add-binding --username <username> --role <role>
Deleting a role binding
A role binding can be deleted by referencing its role binding ID. The role binding ID can be obtained by listing role bindings. Once you have the role binding ID, you can delete the role binding using kalix roles delete-binding
:
kalix roles delete-binding <role binding id>
Managing invitations
You can view a list of outstanding invitations by running kalix roles invitations list
:
$ kalix roles invitations list
EMAIL ROLE
jane.citizen@example.com admin
Invitations will automatically expire after 7 days. You can manually delete an invitation by running kalix roles invitations delete
:
kalix roles invitations delete <email address>
If you wish to resend an invitation, this can be done by first deleting the invitation, and then inviting the user again.