# Configure GBAC in the Control Plane

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt)

---
title: Configure GBAC in the Control Plane
latest-operator-version: v26.1.4
latest-console-tag: v3.7.3
latest-connect-version: 4.93.0
latest-redpanda-tag: v26.1.9
docname: authorization/gbac/gbac
page-component-name: cloud-data-platform
page-version: master
page-component-version: master
page-component-title: Cloud
page-relative-src-path: authorization/gbac/gbac.adoc
page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/security/pages/authorization/gbac/gbac.adoc
description: Configure GBAC to manage access to organization-level resources, like clusters, resource groups, and networks, using OIDC groups from your identity provider.
page-topic-type: how-to
learning-objective-1: Register an OIDC group in Redpanda Cloud
learning-objective-2: Assign a predefined or custom role to a group
learning-objective-3: Manage group-based access at the organization level
page-git-created-date: "2026-04-07"
page-git-modified-date: "2026-05-26"
---

<!-- Source: https://docs.redpanda.com/cloud-data-platform/security/authorization/gbac/gbac.md -->

> 📝 **NOTE**
>
> This feature is available for BYOC and Dedicated clusters.

Use Redpanda Cloud group-based access control (GBAC) in the [control plane](https://docs.redpanda.com/cloud-data-platform/reference/glossary/#control-plane) to manage access to organization resources based on OIDC groups from your identity provider (IdP). For example, you can grant one group access to development clusters while restricting production access to another group. You can also restrict access to geographically dispersed clusters to support data residency requirements. When a user’s group membership changes in the IdP, their Redpanda access updates automatically.

After reading this page, you will be able to:

-   Register an OIDC group in Redpanda Cloud

-   Assign a predefined or custom role to a group

-   Manage group-based access at the organization level


## [](#gbac-terminology)GBAC terminology

**Group**: A group is a collection of users defined in your IdP. With GBAC, you can assign groups to roles or ACLs in Redpanda Cloud, so that users inherit permissions based on their group membership in your IdP.

**Role**: A role is a list of permissions. Permissions are attached to roles. Users assigned multiple roles receive the union of all permissions defined in those roles. Redpanda Cloud has several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin. You can also create custom roles.

**Role binding**: Role binding assigns a role to an account. Administrators can add, edit, or remove role bindings for a user. When you change the permissions for a given role, all users and service accounts with that role automatically get the modified permissions.

## [](#manage-organization-access)Manage organization access

In the Redpanda Cloud Console, the **Organization IAM** page lets you create groups. When you create a group, you define its permissions with role binding. When you edit a group, you can change its role bindings to update the group’s permissions. When you change the permissions for a given role, all groups with that role automatically get the modified permissions.

Various resources can be assigned as the scope of a role, including the following:

-   Organization

-   Resource group

-   Network

-   Network peering

-   Cluster (Serverless clusters have a different set of permissions from BYOC and Dedicated clusters.)

-   MCP server


You can manage GBAC configurations with the [Redpanda Cloud Console](https://cloud.redpanda.com) or with the [Control Plane API](https://docs.redpanda.com/api/doc/cloud-controlplane/).

## [](#configure-group-claim-extraction)Configure group claim extraction

Different identity providers structure group information differently in their OIDC tokens. Before you register groups, configure your SSO connection to tell Redpanda Cloud where to find group claims in the token.

In Redpanda Cloud, group claim extraction is configured through your SSO connection settings.

1.  In the Cloud UI, navigate to **Organization IAM > Single sign-on**, then select your IdP connection.

2.  For Mapping mode, select **use\_map**.

3.  Configure Attributes (JSON) to map attribute names to claim paths, including `federated_groups` for group claims.

    A claim path is a [JSON path](https://goessner.net/articles/JsonPath/) expression that tells Redpanda where to find group information in the OIDC token. The appropriate claim path for each attribute may vary per IdP.

    For example, Okta exposes group claims in `${context.userinfo.groups}`. In this case, you must also include `groups` in **Userinfo scope**.


## [](#register-groups)Register groups

To assign an IdP group to a role or ACL, you must first register the group in Redpanda Cloud:

### Cloud UI

1.  Navigate to **Organization IAM > Groups**.

2.  Click **Create group**.

3.  Enter a **Name** that matches the group in your IdP exactly (for example, `engineering`).

4.  Optionally, enter a **Description**, and configure a **Role binding** to assign the group to a role with a specific scope and resource.

5.  Click **Create**.

### Control Plane API

Make a [`POST /v1/groups`](https://docs.redpanda.com/api/doc/cloud-controlplane/operation/operation-groupservice_creategroup) request to the [Control Plane API](https://docs.redpanda.com/cloud-data-platform/manage/api/cloud-byoc-controlplane-api/):

```bash
curl -X POST 'https://api.redpanda.com/v1/groups' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <token>' \
  -d '{
    "group": {
      "name": "<group-name>",
      "description": "<group-description>"
    }
  }'
```

Replace `<group-name>` with the name that matches the group in your IdP (for example, `engineering`). The name must match exactly for GBAC to map the group correctly.

## [](#predefined-roles)Predefined roles

Redpanda Cloud provides several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin.

Before assigning a role to a user or service account, review the **Organization IAM** - **Roles** tab to compare the full list of predefined roles and their permissions.

> 📝 **NOTE**
>
> On BYOC and Dedicated clusters, the Reader, Writer, and Admin roles include data plane permissions for the Schema Registry in addition to Kafka resources (topics, consumer groups, transactional IDs, and cluster operations). Permissions are scoped to the `subject` and `registry` ACL resource types.
>
> | Role | subject operations (resource name *) | registry operations (global) |
> | --- | --- | --- |
> | Reader | Read, Describe | Describe, DescribeConfigs |
> | Writer | Read, Write, Delete, Describe, DescribeConfigs | Describe, DescribeConfigs |
> | Admin | Read, Write, Delete, Describe, DescribeConfigs, AlterConfigs | Describe, DescribeConfigs, AlterConfigs |
>
> For more information on Schema Registry ACLs, including resource types and supported operations, see [Schema Registry Authorization](https://docs.redpanda.com/cloud-data-platform/manage/schema-reg/schema-reg-authorization/).

## [](#custom-roles)Custom roles

In addition to the predefined roles, administrators can create custom roles to mix and match permissions for specific use cases. Custom roles let you grant only the permissions a group needs, without the broad access of predefined roles.

Custom roles are created on the **Roles** tab in **Organization IAM**. For steps to create a custom role, see [Custom roles in RBAC](https://docs.redpanda.com/cloud-data-platform/security/authorization/rbac/rbac/#custom-roles).

When you register a group or edit a group’s role binding, you can assign any predefined or custom role to the group.

## [](#suggested-reading)Suggested reading

-   [Configure GBAC in the Data Plane](https://docs.redpanda.com/cloud-data-platform/security/authorization/gbac/gbac_dp/)

-   [Configure RBAC in the Control Plane](https://docs.redpanda.com/cloud-data-platform/security/authorization/rbac/rbac/)

-   [Configure RBAC in the Data Plane](https://docs.redpanda.com/cloud-data-platform/security/authorization/rbac/rbac_dp/)

-   [Single sign-on](https://docs.redpanda.com/cloud-data-platform/security/cloud-authentication/#single-sign-on)