Collapse navigation tree

Collapse

Configure RBAC in the Control Plane

This feature is available for BYOC and Dedicated clusters.

Use Redpanda Cloud role-based access control (RBAC) in the control plane to manage access to resources in your organization. For example, you can grant everyone in a team access to clusters in a development resource group while limiting access to clusters in a production resource group. You can also restrict access to geographically dispersed clusters to support data residency requirements.

After reading this page, you will be able to:

  • Assign predefined or custom roles to users and service accounts

  • Manage role bindings at the organization level

  • Create custom roles with granular permissions

RBAC terminology

Role: A role is a list of permissions. With RBAC, permissions are attached to roles. Users assigned multiple roles receive the union of all permissions defined in those roles.

Account: An RBAC account is either a user account (human user) or a service account (machine or programmatic user).

Role binding: Role binding assigns a role to an account. Administrators can add, edit, or remove role bindings for a user. When you change the permissions for a given role, all users and service accounts with that role automatically get the modified permissions.

Manage organization access

In the Redpanda Cloud Console, the Organization IAM page lists your organization’s users and service accounts and their assigned roles. You can invite users, create service accounts, and edit access for existing accounts. When you add a user or service account, you assign permissions through role bindings.

On the Organization IAM page, select a user or service account to view its assigned roles. For example, if a user has the Admin role at the organization level, the Resource is the organization name, the Scope is Organization, and the Role is Admin. You can edit a user or service account to assign a different role or limit access to a specific resource.

Role bindings can be scoped to different resource types, including:

  • Organization

  • Resource group

  • Network

  • Network peering

  • Cluster (Serverless clusters have a different set of permissions from BYOC and Dedicated clusters.)

  • Redpanda topics are not included as a scope. For topic-level access control, see Configure RBAC in the Data Plane.

  • You can assign a service account only to resources for which you already have permission. For example, if you have the Admin role for a specific resource group, you can create a service account scoped to that resource group.

Users can have multiple roles if each role binding applies to a different resource or scope. For example, a user could have the Reader role for the organization, the Admin role for a specific resource group, and the Writer role for a specific cluster.

When you delete a custom role, Redpanda removes it from any users or service accounts assigned to it, and the associated permissions are revoked.

Predefined roles

Redpanda Cloud provides several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin.

Before assigning a role to a user or service account, review the Organization IAM - Roles tab to compare the full list of predefined roles and their permissions.

On BYOC and Dedicated clusters, the Reader, Writer, and Admin roles include data plane permissions for the Schema Registry in addition to Kafka resources (topics, consumer groups, transactional IDs, and cluster operations). Permissions are scoped to the subject and registry ACL resource types.

Role subject operations (resource name *) registry operations (global)

Reader

Read, Describe

Describe, DescribeConfigs

Writer

Read, Write, Delete, Describe, DescribeConfigs

Describe, DescribeConfigs

Admin

Read, Write, Delete, Describe, DescribeConfigs, AlterConfigs

Describe, DescribeConfigs, AlterConfigs

For more information on Schema Registry ACLs, including resource types and supported operations, see Schema Registry Authorization.

Custom roles

In addition to the predefined roles, administrators can create custom roles to grant only the permissions an account needs, without the broad access of predefined roles.

To create a custom role, use the Redpanda Cloud Console or the Control Plane API.

In the Redpanda Cloud Console:

  1. In the left navigation menu, select the Organization IAM - Roles tab

  2. Click Create role.

  3. Enter a Name and optional Description for the role.

  4. Select permissions from the available categories: Control Plane, Data Plane, IAM, and Billing. Each category contains multiple permission groups (for example, Cluster, Network, or Topic), and each group contains individual operations such as Create, Read, Update, and Delete. You can select operations individually or select all operations for a group.

  5. Click Create.

After creating a custom role, you can assign it to users through role bindings on the Users tab.

Suggested reading