Role-based Access Control
Default Roles
For every system, Panfactum modules configure the following default roles. These are scoped to the specific system / environment. They are not global and a user can (and will) have different roles in different environment.
Role | Access Description |
---|---|
superuser | Complete, unmitigated, root access. |
admin | Read and write access to most resources. Prevented from some actions that could cause irrecoverable data loss and/or persistent security vulnerabilities. |
reader | Read access to all resources (including secrets). |
restricted_reader | Read access to all resources (excluding secrets). Not deployed in resources that only store sensitive information (e.g., Vault). |
billing_admin | Read and write access only to resources required for billing and cost management. Not deployed in resources that don't have billing functionality (e.g., Vault). |
Default Groups
These are the default groups provisioned by the authentik_core_resources. These are global.
The below table charts their recommended role by environment; however, by default they do not confer any permissions as this depends on your environment configuration. 1
Group | Environment | Role |
---|---|---|
superusers | management | superuser |
production | superuser | |
testing and integration environments | superuser | |
privileged_engineers | management | restricted_reader |
production | admin | |
testing and integration environments | superuser | |
engineers | management | restricted_reader |
production | reader | |
testing and integration environments | superuser | |
restricted_engineers | management | None |
production | restricted_reader | |
testing and integration environments | admin | |
billing_admins | management | billing_admin |
production | billing_admin | |
testing and integration environments | billing_admin |
Footnotes
-
Except for the
superusers
group which gets root access to all systems configured by Panfactum modules. ↩