Orgs, Spaces, Roles, and Permissions
Page last updated:
PCF uses a role-based access control (RBAC) system to grant Elastic Runtime users permissions appropriate to their role within an org or a space. This topic describes how orgs and spaces work within a PCF deployment, and how different Elastic Runtime User roles operate within those contexts.
An org is a development account that an individual or multiple collaborators can own and use. All collaborators access an org with user accounts. Collaborators in an org share a resource quota plan, applications, services availability, and custom domains.
A user account represents an individual person within the context of a Cloud Foundry installation. A user can have different roles in different spaces within an org, governing what level and type of access they have within that space.
Every application and service is scoped to a space. Each org contains at least one space. A space provides users with access to a shared location for application development, deployment, and maintenance. Each space role applies only to a particular space.
A user can have one or more roles. The combination of these roles defines the user’s overall permissions in the org and within specific spaces in that org.
- Org Managers are managers or other users who need to administer the account.
Note: An Org Manager needs explicit administrator permissions to perform certain actions. Refer to the Creating and Managing Users with the UAA CLI (UAAC) topic to learn how to create a user with admin rights.
Org Auditors view but cannot edit user information and org quota usage information.
Space Managers are managers or other users who administer a space within an org.
Space Developers are application developers or other users who manage applications and services in a space.
Space Auditors view but cannot edit the space.
|User Role||Org Manager||Org Auditor||Space Manager||Space Developer||Space Auditor|
|Scope of operation||Org||Org||Space||Space||Space|
|Add and edit users and roles||*||*|
|View users and roles||✓||✓||✓||✓||✓|
|Create and assign Org and Space quota plans||✓|
|View Org quota plans||✓||✓||✓||✓||✓|
|Edit, rename, and delete Orgs||✓|
|View the status, number of instances, service bindings, and resource use of applications||✓||✓||✓||✓|
|Add private domains†||✓|
|Deploy, run, and manage applications||✓|
|Instantiate and bind services to applications||✓|
|Associate routes†, instance counts, memory allocation, and disk limit of applications||✓|
|Create and manage Application Security Groups||✓|
*Defaults to no. Yes if Elastic Runtime tile > Settings tab > Apps Manager section > Enable Non Admin Role Management checkbox is selected.
† No by default, unless feature flag
user_org_creation is set to