Roles and Permissions
Roles and Permissions
Konstruct uses role-based access control (RBAC) to manage what users can do across the platform. Roles are assigned to users through their team memberships and SSO group mappings.
Predefined Roles
Konstruct provides three predefined roles:
| Role | Description |
|---|---|
| Platform Admin | Full access to all resources. Can manage infrastructure, cloud accounts, SSO, and organization-wide settings. |
| Team Admin | Can manage team resources, catalog applications, and deployments. Limited access to clusters (read-only). |
| Developer | Can read catalog applications, deploy catalog items, and manage applications. Limited access to clusters (read-only). |
Permissions Matrix
Each role grants a specific set of actions on each resource. The three actions are:
- Read (R) — View the resource
- Write (W) — Create or update the resource
- Delete (D) — Remove the resource
| Resource | Platform Admin | Team Admin | Developer |
|---|---|---|---|
| application | R, W, D | R, W | R, W |
| app-repository | R, W, D | — | — |
| catalog-application | R, W, D | R, W, D | R |
| catalog-deployment | R, W, D | R, W | R, W |
| cloud-account | R, W, D | — | — |
| cluster | R, W, D | R | R |
| cluster-template | R, W, D | — | — |
| environment | R, W, D | — | — |
| git-account | R, W, D | — | — |
| organization | R, W, D | — | — |
| pipeline-templates | R, W, D | — | — |
| sso | R, W, D | — | — |
| team | R, W, D | — | — |
Legend: R = Read, W = Write, D = Delete, — = No access
Platform Admin has full access to every resource. If a resource shows "—" for Team Admin and Developer, only Platform Admins can manage it.
How Roles Are Assigned
Roles are assigned through team membership and SSO group mappings:
- A user authenticates via SSO (e.g., Microsoft Entra).
- The user's SSO groups are matched against team role mappings.
- If a team maps the user's SSO group to a predefined role, the user receives that role for the team's organization.
- A user can hold roles in many teams across many organizations:
- Within one organization, if your SSO group maps to multiple roles through different teams, the highest of those roles applies for that org.
- Across organizations, your role is evaluated independently per org. Being Platform Admin in one org grants no permissions in another.
Roles Are Scoped to Organizations
Konstruct evaluates your role against the organization you're acting on. The same person can be a Platform Admin in one org and a Developer in another, and the platform enforces both views — admin-tier actions only succeed against the organizations where you're an admin.
Worked example: a user mapped to Platform Admin in Org A and Developer in Org B.
| Action | In Org A (Platform Admin) | In Org B (Developer) |
|---|---|---|
| List clusters | ✅ | ✅ (read-only) |
| Delete a cluster | ✅ | ❌ |
| Manage cloud accounts | ✅ | ❌ |
| Deploy a catalog item | ✅ | ✅ |
| Manage SSO and organizations | ✅ | ❌ |
The same person, two different sets of permissions — the org selected in the Viewing as switcher (or the namespace in the URL when calling the API directly) decides which set applies.
The built-in konstruct-super-user role used by the bootstrap admin on self-hosted installations stays global — it bypasses per-organization checks so an operator can recover access in a break-glass situation. Roles assigned through SSO group mappings are always per-organization.
Role Details
Platform Admin
The Platform Admin role is intended for infrastructure engineers and platform operators. It provides unrestricted access to all resources, including:
- Managing cloud accounts and git accounts
- Configuring SSO providers
- Creating and managing cluster templates and pipeline templates
- Creating organizations and teams
- Deploying and managing applications and environments
- Registering app repositories
- Managing license keys (self-hosted)
Team Admin
The Team Admin role is intended for team leads who manage their team's resources. Key capabilities:
- Full management of catalog applications (create, update, delete)
- Read and write access to catalog deployments
- Read and write access to applications
- Read-only access to clusters
- Create and manage organizations (team management)
- View SSO groups
Developer
The Developer role is intended for application developers. Key capabilities:
- Read-only access to catalog applications
- Read and write access to catalog deployments
- Read and write access to applications
- Read-only access to clusters