UAA Scopes for Enterprise PKS Users

Page last updated:

This topic describes User Account and Authentication (UAA) scopes that a UAA admin can assign to VMware Enterprise PKS users.

Overview

UAA is the identity management service for Enterprise PKS.

By assigning UAA scopes, you grant users the ability to create, manage, and audit Kubernetes clusters in Enterprise PKS.

A UAA admin user can assign the following UAA scopes to Enterprise PKS users:

  • pks.clusters.manage: Accounts with this scope can create and access their own clusters.
  • pks.clusters.admin: Accounts with this scope can create and access all clusters.
  • pks.clusters.admin.read: Accounts with this scope can access any information about all clusters except for cluster credentials.

You can assign these scopes to individual users, external identity provider groups, or clients for automation purposes.

UAA Scopes

Each UAA scope grants Enterprise PKS users a set of permissions for creating, managing, and auditing Enterprise PKS-provisioned Kubernetes clusters. For information about the permissions, see the table below.

Operation pks.clusters.manage pks.clusters.admin pks.clusters.admin.read
Create, update, resize, and delete a cluster Yes. Users with this scope can create, modify, and delete only their own clusters. Yes. Users with this scope can create, modify, and delete all clusters. No. Users with this scope cannot create, modify, and delete clusters.
Get cluster credentials Yes. Users with this scope can retrieve cluster credentials only for their own clusters. Yes. Users with this scope can retrieve cluster credentials for all clusters. No. Users with this scope cannot retrieve cluster credentials.
Upgrade clusters Yes. Users with this scope can upgrade only their own clusters. Yes. Users with this scope can upgrade all clusters. No. Users with this scope cannot upgrade clusters.
List clusters Yes. Users with this scope can list only their own clusters. Yes. Users with this scope can list all clusters. Yes. Users with this scope can list all clusters.
View cluster details Yes. Users with this scope can view cluster details only for their own clusters. Yes. Users with this scope can view cluster details for all clusters. Yes. Users with this scope can view cluster details for all clusters.
Create and delete a compute profile No. Users with this scope cannot create and delete compute profiles. Yes. Users with this scope can create and delete compute profiles. No. Users with this scope cannot create and delete compute profiles.
Create and delete a network profile No. Users with this scope cannot create and delete network profiles. Yes. Users with this scope can create and delete network profiles. No. Users with this scope cannot create and delete network profiles.
Create, update, and delete a quota No. Users with this scope cannot create, update, and delete quotas. Yes. Users with this scope can create, update, and delete quotas. No. Users with this scope cannot create, update, and delete quotas.
List Enterprise PKS plans Yes. Users with this scope can list all available plans. Yes. Users with this scope can list all available plans. Yes. Users with this scope can list all available plans.

To assign UAA scopes in Enterprise PKS, follow the instructions in Managing Enterprise PKS Users with UAA.


Please send any feedback you have to pks-feedback@pivotal.io.