Skip to content

Managing User Roles - Child Tenants

This topic describes user roles within child tenant accounts that permit different levels of access privilege.

When logged into a root tenant, you can assign user roles to control the actions and permissions of users in child tenant accounts. This table summarizes each user role and its supported functionality, indicated by a .


Only a root tenant user with Company Admin privileges can create child tenant accounts and onboard child tenant account users.

Company Admin
Company Admin
Technical Admin
Technical Admin
Technical Contact
Technical Contact
Financial Contact
Financial Contact
Read Only
Read Only
Create services
View services
Update services
Delete services
Lock and unlock services
Create and delete applications
View applications
Update applications
Create, update, and delete Insights
Create, update, and delete child tenant account
View child tenant account
View tenant account
Update tenant account
Update tenant permissions
Create, view, and update users
Add and delete credentials
Create and delete clusters
View clusters
Update clusters
Download Kubernetes configuration
Create and delete repositories
View repositories
Update repositories
View usage
Enable and update billing markets
View billing markets
View and pay invoices

Here are some details to consider when creating user roles:

  • Company Admin – We recommend limiting the number of Company Admin users to only those who require full access, but defining at least two Company Admin users for redundancy.
  • Technical Admin – This role is for technical users who know how to create and approve orders.
  • Technical Contact – This role is for technical users who know how to design and modify services but don’t have the authority to approve orders.
  • Finance – Finance users should have a financial responsibility within the organization while also understanding the consequences of their actions if they delete or approve services.
  • Financial Contact – This user role is similar to the Finance role without the ability to place and approve orders, delete services, or administer service keys.
  • Read Only – Read Only is the most restrictive role. Note that a Read Only user can view service details which you might want to keep secure and private. A user with the read-only role can view service details which might contain information about the service that you want to keep secure and private.

You can add user roles when you create a new user, or you can edit user information to change their role. For details about adding a new user, see Adding and Modifying Child Tenant Account Users.


To edit user credentials, you need Company Admin privileges.

To manage user roles and permissions

  1. Log in to a root tenant account with Company Admin privileges.
  2. Choose Tenant > Settings.

  3. Select Users.

    Manage Users

  4. Click the gear icon Gear Icon for the user entry and select Edit.

  5. Select the role for the user.

    Update Child Tenant Role

  6. Click Update User.

Last update: 2023-07-20