Roles and Permissions
Roles and Permissions
Konstruct uses role-based access control (RBAC) to manage what users can do across the platform. Roles are assigned to users through their team memberships and SSO group mappings.
Predefined Roles
Konstruct provides three predefined roles:
| Role | Description |
|---|---|
| Platform Admin | Full access to all resources. Can manage infrastructure, cloud accounts, SSO, and organization-wide settings. |
| Team Admin | Can manage team resources, catalog applications, and deployments. Limited access to clusters (read-only). |
| Developer | Can read catalog applications, deploy catalog items, and manage applications. Limited access to clusters (read-only). |
Permissions Matrix
Each role grants a specific set of actions on each resource. The three actions are:
- Read (R) — View the resource
- Write (W) — Create or update the resource
- Delete (D) — Remove the resource
| Resource | Platform Admin | Team Admin | Developer |
|---|---|---|---|
| application | R, W, D | R, W | R, W |
| app-repository | R, W, D | — | — |
| catalog-application | R, W, D | R, W, D | R |
| catalog-deployment | R, W, D | R, W | R, W |
| cloud-account | R, W, D | — | — |
| cluster | R, W, D | R | R |
| cluster-template | R, W, D | — | — |
| environment | R, W, D | — | — |
| git-account | R, W, D | — | — |
| organization | R, W, D | — | — |
| pipeline-templates | R, W, D | — | — |
| sso | R, W, D | — | — |
| team | R, W, D | — | — |
Legend: R = Read, W = Write, D = Delete, — = No access
Platform Admin has full access to every resource. If a resource shows "—" for Team Admin and Developer, only Platform Admins can manage it.
How Roles Are Assigned
Roles are assigned through team membership and SSO group mappings:
- A user authenticates via SSO (e.g., Microsoft Entra).
- The user's SSO groups are matched against team role mappings.
- If a team maps the user's SSO group to a predefined role, the user receives that role.
- A user can hold multiple roles across different teams — the most permissive role applies for each resource.
Role Details
Platform Admin
The Platform Admin role is intended for infrastructure engineers and platform operators. It provides unrestricted access to all resources, including:
- Managing cloud accounts and git accounts
- Configuring SSO providers
- Creating and managing cluster templates and pipeline templates
- Creating organizations and teams
- Deploying and managing applications and environments
- Registering app repositories
- Managing license keys (self-hosted)
Team Admin
The Team Admin role is intended for team leads who manage their team's resources. Key capabilities:
- Full management of catalog applications (create, update, delete)
- Read and write access to catalog deployments
- Read and write access to applications
- Read-only access to clusters
- Create and manage organizations (team management)
- View SSO groups
Developer
The Developer role is intended for application developers. Key capabilities:
- Read-only access to catalog applications
- Read and write access to catalog deployments
- Read and write access to applications
- Read-only access to clusters