Roles and Permissions
Roles and Permissions
Konstruct uses role-based access control (RBAC) to manage what users can do across the platform. Roles are assigned to users through their team memberships and SSO group mappings.
Predefined Roles
Konstruct provides three predefined roles:
| Role | Description |
|---|---|
| Platform Admin | Full access to all resources. Can manage infrastructure, cloud accounts, SSO, teams, and organization-wide settings. |
| Team Admin | Can manage their organization's clusters, environments, templates, applications, and catalog content. Cannot manage cloud/git accounts, SSO providers, teams, or organization-level (team-management) settings. |
| Developer | Can manage applications and catalog deployments end-to-end, create/update environments, and view pipeline and Helm templates within their organization. No access to clusters, cluster templates, or platform-level settings. |
Permissions Matrix
Each role grants a specific set of actions on each resource. The three actions are:
- Read (R) — View the resource
- Write (W) — Create or update the resource
- Delete (D) — Remove the resource
| Resource | Platform Admin | Team Admin | Developer |
|---|---|---|---|
| application | R, W, D | R, W, D | R, W, D |
| catalog-application | R, W, D | R, W, D | R |
| catalog-deployment | R, W, D | R, W, D | R, W, D |
| cloud-account | R, W, D | — | — |
| cluster | R, W, D | R, W, D | — |
| cluster-template | R, W, D | R, W, D | — |
| environment | R, W, D | R, W, D | R, W |
| git-account | R, W, D | — | — |
helm-templates | R, W, D | R, W, D | R |
| organization | R, W, D | — | — |
| pipeline-templates | R, W, D | R, W, D | R |
| sso | R, W, D | — | — |
| team | R, W, D | — | — |
Legend: R = Read, W = Write, D = Delete, — = No access
Platform Admin has full access to every resource. If a resource shows "—" for Team Admin and Developer, only Platform Admins can manage it.
How Roles Are Assigned
Roles are assigned through team membership and SSO group mappings:
- A user authenticates via SSO (e.g., Microsoft Entra).
- The user's SSO groups are matched against team role mappings.
- If a team maps the user's SSO group to a predefined role, the user receives that role for the team's organization.
- A user can hold roles in many teams across many organizations:
- Within one organization, if your SSO group maps to multiple roles through different teams, the highest of those roles applies for that org.
- Across organizations, your role is evaluated independently per org. Being Platform Admin in one org grants no permissions in another.
Roles Are Scoped to Organizations
Konstruct evaluates your role against the organization you're acting on. The same person can be a Platform Admin in one org and a Developer in another, and the platform enforces both views — admin-tier actions only succeed against the organizations where you're an admin.
Worked example: a user mapped to Platform Admin in Org A and Developer in Org B.
| Action | In Org A (Platform Admin) | In Org B (Developer) |
|---|---|---|
| List clusters | ✅ | ❌ |
| Delete a cluster | ✅ | ❌ |
| Manage cloud accounts | ✅ | ❌ |
| Deploy a catalog item | ✅ | ✅ |
| Manage SSO and organizations | ✅ | ❌ |
The same person, two different sets of permissions — the org selected in the Viewing as switcher (or the namespace in the URL when calling the API directly) decides which set applies.
The built-in konstruct-super-user role used by the bootstrap admin on self-hosted installations stays global — it bypasses per-organization checks so an operator can recover access in a break-glass situation. Roles assigned through SSO group mappings are always per-organization.
Role Details
Platform Admin
The Platform Admin role is intended for infrastructure engineers and platform operators. It provides unrestricted access to all resources, including:
- Managing cloud accounts and git accounts
- Configuring SSO providers
- Creating and managing cluster, pipeline, and Helm templates
- Creating organizations (team management) and teams
- Deploying and managing applications and environments
- Managing clusters across organizations
- Managing license keys (self-hosted)
Team Admin
The Team Admin role is intended for team leads who manage their organization's day-to-day resources. Key capabilities, scoped to organizations they're a Team Admin in:
- Full management of clusters (create, update, delete)
- Full management of environments (create, update, delete)
- Full management of cluster, pipeline, and Helm templates within the organization
- Full management of catalog applications and catalog deployments
- Full management of applications (create, update, delete)
- View SSO groups used for team mapping
Team Admins cannot manage cloud accounts, git accounts, SSO providers, teams, or organization-level (team-management) resources — those require Platform Admin.
Developer
The Developer role is intended for application developers. Key capabilities, scoped to organizations they're a Developer in:
- Full management of applications and application deployments (create, update, delete)
- Full management of catalog deployments (create, update, delete)
- Create and update environments within the organization (delete is reserved for Team Admin and Platform Admin)
- Read-only access to catalog applications
- Read-only access to pipeline and Helm templates
Developers cannot create or modify clusters, cluster templates, accounts, teams, SSO providers, or organization-level resources, and cannot delete environments — those require Team Admin or Platform Admin.