Panfactum LogoPanfactum
RBAC

Role-based Access Control

Default Roles

For every system, Panfactum modules configure the following default roles. These are scoped to the specific system / environment. They are not global and a user can (and will) have different roles in different environment.

RoleAccess Description
superuserComplete, unmitigated, root access.
adminRead and write access to most resources. Prevented from some actions that could cause irrecoverable data loss and/or persistent security vulnerabilities.
readerRead access to all resources (including secrets).
restricted_readerRead access to all resources (excluding secrets). Not deployed in resources that only store sensitive information (e.g., Vault).
billing_adminRead and write access only to resources required for billing and cost management. Not deployed in resources that don't have billing functionality (e.g., Vault).

Default Groups

These are the default groups provisioned by the authentik_core_resources. These are global.

The below table charts their recommended role by environment; however, by default they do not confer any permissions as this depends on your environment configuration. 1

GroupEnvironmentRole
superusersmanagementsuperuser
productionsuperuser
testing and integration environmentssuperuser
privileged_engineersmanagementrestricted_reader
productionadmin
testing and integration environmentssuperuser
engineersmanagementrestricted_reader
productionreader
testing and integration environmentssuperuser
restricted_engineersmanagementNone
productionrestricted_reader
testing and integration environmentsadmin
billing_adminsmanagementbilling_admin
productionbilling_admin
testing and integration environmentsbilling_admin

Footnotes

  1. Except for the superusers group which gets root access to all systems configured by Panfactum modules.