Pivotal Cloud Foundry User Types

Page last updated:

This topic describes the types of users in a Pivotal Cloud Foundry (PCF) deployment, their roles and permissions, and who creates and manages their user accounts.

The users who run a PCF deployment and have admin privileges are operators. With Pivotal Application Service (PAS) installed to host apps, you add two more user types: PAS users who develop the apps and manage the development environment, and end users who just run the apps.

PCF distinguishes between these three user types and multiple user roles that exist within a single user type. Roles are assigned categories that more specifically define functions that a user can perform. A user may serve in more than one role at the same time.


Operators have the highest, admin-level permissions. We also refer to operators as Ops Manager admins and PAS admins because they perform an admin role within these contexts.

Tools and Tasks

Operators fulfill system administrator roles covering the entire PCF deployment. They work primarily with their IaaS and Ops Manager, to configure and maintain PAS component VMs. The component VMs, in turn, support the VMs that host applications. Typical operator tasks include:

  • Deploying and configuring Ops Manager, PAS, and other product and service tiles.
  • Maintaining and upgrading PCF deployments.
  • Creating user accounts for PAS users and the orgs that PAS users work within.
  • Creating service plans that define the access granted to end users.

User Accounts

When Ops Manager starts up for the first time, the operator specifies one of the following authentication systems for operator user accounts:

  • Internal authentication, using a new UAA database that Ops Manager creates.
  • External authentication, through an existing identity provider accessed through SAML protocol.

The operator can then use the UAAC to create more operator accounts.

PAS Users

PAS users are app developers, managers, and auditors who work within orgs and spaces, the virtual compartments within a deployment where PAS users can run apps and locally manage their roles and permissions.

A Role-Based Access Control (RBAC) system defines and maintains the different PAS user roles:

  • Org Manager, Org Auditor, Org Billing Manager
  • Space Manager, Space Developer, Space Auditor

The Orgs, Roles, Spaces, Permissions topic describes the PAS user roles, and what actions they can take within the orgs and spaces they belong to. Some of these permissions depend on the values of feature flags.


Space Developer users work with their software development tools and the apps deployed on host VMs.

All PAS users use system tools such as the Cloud Foundry Command Line Interface (cf CLI), PCF Metrics, and Apps Manager, a dashboard for managing PAS users, orgs, spaces, and apps.

User Accounts

When an operator configures PAS for the first time, they specify one of the following authentication systems for PAS user accounts:

  1. Internal authentication, using a new UAA database created for PAS. This system-wide UAA differs from the Ops Manager internal UAA, which only stores Ops Manager Admin accounts.
  2. External authentication, through an existing identity provider accessed through SAML or LDAP protocol.

In either case, PAS user role settings are saved internally in the Cloud Controller Database, separate from the internal or external user store.

Org and Space Managers then use Apps Manager to invite and manage additional PAS users within their orgs and spaces. PAS users with proper permissions can also use the cf CLI to assign user roles.

Operators can log into Apps Manager by using the UAA Administrator User credentials under the Credentials tab of the PAS tile. These UAA Admin credentials grant them the role of Org Manager within all orgs in the deployment. The UAA Admin can also use the UAAC to create new user accounts and the cf CLI to assign user roles.

End Users

End users are the people who log into and use the apps hosted on PAS. They do not interact directly with PAS components or interfaces. Any interactions or roles they perform within the apps are defined by the apps themselves, not Pivotal Application Service (PAS).

User Accounts and SSO

App developers can configure apps any way they want to grant end user access individually. In a deployment with Single Sign-On Service for Pivotal Cloud Foundry installed, they can also offer end users a single login that accesses multiple apps.

The Single Sign-On (SSO) service can save user account information in an external database accessed through SAML or LDAP, or in the internal PAS user store, along with PAS User accounts.

To make the SSO service available to developers, an operator creates service plans that give login access to specific groups of end users. A Space Manager then creates a local instance of the service plan, and registers apps with it. Apps registered to the plan instance then become available through SSO to all end users covered by the plan.

User Types Summary

The following table summarizes PCF user types, their roles, the tools they use, the System of Record (SOR) that stores their accounts, and what accounts they can provision.

User Type Available Roles Tools They Use Account SOR Accounts They Can Provision
Operators Admin (UAA Admin, SSO Plan Admin, other system admins)
  • IaaS UI
  • PivNet
  • Ops Manager
  • cf CLI
  • SSO Dashboard
  • Marketplace
Ops Manager user store through UAA
External store through SAML
Operators and PAS Users
PAS Users
  • UAA Administrator
  • Org Manager
  • Org Auditor
  • Org Billing Manager
  • Space Manager
  • Space Developer
  • Space Auditor
  • cf CLI
  • CAPI
  • Apps Manager
  • PCF Metrics
  • Marketplace
PAS user store through UAA
External store through SAML or LDAP
PAS Users within permitted orgs and spaces, and
End Users
End Users Defined by apps they use Hosted apps Individual apps
PAS user store through SSO