Docs Cloud Security Authorization Role-Based Access Control (RBAC) Configure RBAC in the Control Plane Configure RBAC in the Control Plane Page options Copy as Markdown Copied! View as plain text Ask AI about this topic Add MCP server to VS Code This feature is available for BYOC and Dedicated clusters. Use Redpanda Cloud role-based access control (RBAC) in the control plane to manage access to resources in your organization. For example, you can grant everyone in a team access to clusters in a development resource group while limiting access to clusters in a production resource group. You can also restrict access to geographically dispersed clusters to support data residency requirements. After reading this page, you will be able to: Assign predefined or custom roles to users and service accounts Manage role bindings at the organization level Create custom roles with granular permissions RBAC terminology Role: A role is a list of permissions. With RBAC, permissions are attached to roles. Users assigned multiple roles receive the union of all permissions defined in those roles. Redpanda Cloud has several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin. You can also create custom roles. Account: An RBAC account is either a user account (human user) or a service account (machine or programmatic user). Role binding: Role binding assigns a role to an account. Administrators can add, edit, or remove role bindings for a user. When you change the permissions for a given role, all users and service accounts with that role automatically get the modified permissions. Manage organization access In the Redpanda Cloud Console, the Organization IAM page lists your organization’s existing users and service accounts and their associated roles. You can edit a user’s access, invite new users, and create service accounts. When you add a user, you define their permissions with role binding. Service accounts are assigned the Admin role for all resources in the organization. On the Organization IAM - Users page, select a user to see their assigned roles. For example, for a user with Admin access on the organization, the user’s Resource is the organization name, the Scope is organization, and the Role is Admin. Various resources can be assigned as the scope of a role. For example: Organization Resource group Network Network peering Cluster (Serverless clusters have a different set of permissions from BYOC and Dedicated clusters.) MCP server Redpanda topics are not included. For topic-level access control, see Configure RBAC in the Data Plane. Users can have multiple roles, as long as they are each for a different resource and scope. For example, you could assign a user the Reader role on the organization, the Admin role on a specific resource group, and the Writer role on a specific cluster. When you delete a role, Redpanda removes it from any user or service account it is attached to, and permissions are revoked. Predefined roles Redpanda Cloud provides several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin. You can see all predefined roles along with their permissions on the Roles tab of Organization IAM. Custom roles In addition to the predefined roles, administrators can create custom roles to mix and match permissions for specific use cases. Custom roles let you grant only the permissions a user needs, without the broad access of predefined roles. To create a custom role, use the Redpanda Cloud Console or the Control Plane API. In the Redpanda Cloud Console: In the left navigation menu, select Organization IAM, then select the Roles tab. Click Create role. Enter a Name and optional Description for the role. Select permissions from the available categories: Control Plane, Data Plane, IAM, and Billing. Each category contains multiple permission groups (for example, Cluster, Network, or Topic), and each group contains individual operations such as Create, Read, Update, and Delete. You can select operations individually or select all operations for a group. Click Create. After creating a custom role, you can assign it to users through role bindings on the Users tab. Suggested reading Configure RBAC in the Data Plane Configure GBAC in the Control Plane Configure GBAC in the Data Plane Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution 🎉 Thanks for your feedback! Role-Based Access Control (RBAC) Configure RBAC in the Data Plane