| description |
|---|
Authenticate and authorize users. |
$[prodname] supports Google Social login and username / password for user authentication.
Users can have one or more of the following predefined user roles to access features in the web console. The default permissions align with typical needs for each role.
The Owner role has the highest level of access and typically corresponds to the account creator.
:::note The Owner role cannot be assigned to new users. The only Owner is the user who created the $[prodname] account. :::
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | view |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view, edit |
The Admin role provides broad administrative access for day-to-day configuration and management of $[prodname].
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view, edit |
The User Admin role has the ability to manage team members and their assigned roles.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | view, edit, delete |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
The Cluster Connection Admin role has administrative capabilities of managed clusters.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | view, edit, delete |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
The Viewer role provides read-only access to most operational and configuration data within $[prodname]. Ideal for users who need visibility without making changes.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | view |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view |
| Kibana | view |
| Image Assurance | - |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view |
| Web Application Firewall | view |
| Container Threat Detection | view |
| Dashboards | view |
The DevOps role is designed for users responsible for application deployment, CI/CD integration, and managing network policies and configurations relevant to their applications.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit |
| Compliance Reports | - |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view |
| Container Threat Detection | view |
| Dashboards | view |
The Security role focuses on security posture management, including policy definition, threat monitoring, vulnerability management (Image Assurance), and incident response.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view |
The Compliance role provides focused access to compliance reporting and related policy information, suitable for auditors or compliance officers.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | view |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
This role grants specific access to view usage metrics for the $[prodname] account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | view |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
This role provides administrative control specifically over the Image Assurance feature, including configuring registries, policies, and viewing scan results.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | view, edit |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
This role grants administrative permissions specifically for creating, managing, and sharing custom dashboards within $[prodname].
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | view, edit |
$[prodname] works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.
To add an identity provider, open a Support ticket.
To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.
Enable "ID Token" for implicit flows.
Add the following Microsoft Graph API delegated permissions:
- User.Read
- OpenId permissions:
- openid
- profile