Role-based Access Control
Default Roles
For every system, Panfactum modules configure the following default roles. These are scoped to the specific system / environment. They are not global and a user can (and will) have different roles in different environment.
| Role | Access Description |
|---|---|
superuser | Complete, unmitigated, root access. |
admin | Read and write access to most resources. Prevented from some actions that could cause irrecoverable data loss and/or persistent security vulnerabilities. |
reader | Read access to all resources (including secrets). |
restricted_reader | Read access to all resources (excluding secrets). |
billing_admin | Read and write access only to resources required for billing and cost management. Not deployed in resources that don't have billing functionality (e.g., Vault). |
Default Groups
These are the default groups provisioned by the authentik_core_resources. These are global.
The below table charts their recommended role by environment; however, by default they do not confer any permissions as this depends on your environment configuration. 1
| Group | Environment | Role |
|---|---|---|
superusers | management | superuser |
| production | superuser | |
| testing and integration environments | superuser | |
privileged_engineers | management | restricted_reader |
| production | admin | |
| testing and integration environments | superuser | |
engineers | management | restricted_reader |
| production | reader | |
| testing and integration environments | admin | |
restricted_engineers | management | None |
| production | restricted_reader | |
| testing and integration environments | admin | |
billing_admins | management | billing_admin |
| production | billing_admin | |
| testing and integration environments | billing_admin |
Footnotes
-
Except for the
superusersgroup which gets root access to all systems configured by Panfactum modules. ↩