Organization Roles β
When a customer signs up in the Cloud-IAM Console, a default organization with a randomly generated name is automatically created and linked to their account.
The customer is assigned the Owner role of this organization by default.
When a managed Keycloak deployment is created, the initiator (or creator) automatically becomes owner of the of the deployment by is organisation. All managed Keycloak subscriptions, whether paid or freemium, are always bound to an organization. This design simplifies the transfer and management of subscriptions within the same organization, but subscriptions for managed Keycloak deployments cannot be shared across multiple organizations.
To ensure secure and controlled access to your managed Keycloak deployments through the Cloud-IAM console, role-based access control (RBAC) at the organization level is enforced. This means that each userβs role determines their level of access across all deployments linked to the organization.
These roles apply only within the Cloud-IAM console. They do not represent or replace roles defined in the Keycloak Admin Console.
Role Overview β
| Role | Manage Deployments | Manage Custom Extensions | Read Metrics | Manage Org Settings | Manage Org Members |
|---|---|---|---|---|---|
| Owner | β | β | β | β | β |
| Editor | β | β | β | β | β |
| Custom Extensions | β | β | β | β | β |
| Monitoring | β | β | β | β | β |
Roles in detail in Cloud-IAM console β
Owner β
The Owner role is equivalent to an admin role with all permissions. It has full control over both deployments and organization settings. This role is automatically assigned to the account creator.
- β Manage deployment configuration
- β Manage custom extensions of deployments
- β Read deployment metrics
- β Manage organization settings
- β Manage organization members
Security and resilient access management
For secure and resilient access management, we strongly recommend adding at least 2 Owners to your organization.
This ensures continuity and control in case one owner loses access to their account.
Editor β
The Editor role is suitable for developers or operators who need to work with deployments but should not manage organizational-level settings.
- β Manage deployment configuration
- β Manage custom extensions of deployments
- β Read deployment metrics
- β Manage organization settings
- β Manage organization members
Custom Extensions β
The Custom Extensions role is typically assigned to a service account, for example, a CI/CD pipeline that manages deployment extensions.
- β Manage deployment configuration
- β Manage custom extensions of deployments
- β Read deployment metrics
- β Manage organization settings
- β Manage organization members
Monitoring β
The Monitoring role is typically assigned to a service account that only collects logs and metrics for observability.
- β Manage deployment configuration
- β Manage custom extensions of deployments
- β Read deployment metrics
- β Manage organization settings
- β Manage organization members
User invitation requirement β
To access a deployment configuration through the Cloud-IAM Console, a user must:
- Create an account on Cloud-IAM console.
- Be invited to an organization by an Owner of the deployment organisation.
More details are available in the guide: How to add a user to your organization?