Pivotal Cloud Foundry v1.7

Orgs, Spaces, Roles, and Permissions

Page last updated:

PCF uses a role-based access control (RBAC) system to grant Elastic Runtime users permissions appropriate to their role within an org or a space. This topic describes how orgs and spaces work within a PCF deployment, and how different Elastic Runtime User roles operate within those contexts.

Admins, Org Managers, and Space Managers can assign user roles using the cf CLI  or Apps Manager.


An org is a development account that an individual or multiple collaborators can own and use. All collaborators access an org with user accounts. Collaborators in an org share a resource quota plan, applications, services availability, and custom domains.

User Accounts

A user account represents an individual person within the context of a Cloud Foundry installation. A user can have different roles in different spaces within an org, governing what level and type of access they have within that space.


Every application and service is scoped to a space. Each org contains at least one space. A space provides users with access to a shared location for application development, deployment, and maintenance. Each space role applies only to a particular space.

Roles and Permissions

A user can have one or more roles. The combination of these roles defines the user’s overall permissions in the org and within specific spaces in that org.

  • Org Managers are managers or other users who need to administer the account.

Note: An Org Manager needs explicit administrator permissions to perform certain actions. Refer to the Creating and Managing Users with the UAA CLI (UAAC) topic to learn how to create a user with admin rights.

  • Org Auditors view but cannot edit user information and org quota usage information.

  • Space Managers are managers or other users who administer a space within an org.

  • Space Developers are application developers or other users who manage applications and services in a space.

  • Space Auditors view but cannot edit the space.

User Role Org Manager Org Auditor Space Manager Space Developer Space Auditor
Scope of operation Org Org Space Space Space
Add and edit users and roles * *
View users and roles
Create and assign Org and Space quota plans
View Org quota plans
Create Orgs
View Orgs
Edit, rename, and delete Orgs
Create Spaces
View Spaces
Edit Spaces
Delete Spaces
Rename Spaces
View the status, number of instances, service bindings, and resource use of applications
Add private domains
Deploy, run, and manage applications
Instantiate and bind services to applications
Associate routes, instance counts, memory allocation, and disk limit of applications
Rename applications
Create and manage Application Security Groups

*Defaults to no. Yes if Elastic Runtime tile > Settings tab > Apps Manager section > Enable Non Admin Role Management checkbox is selected.

† No by default, unless feature flag user_org_creation is set to true.

Create a pull request or raise an issue on the source for this page in GitHub