Managing User Roles - Child Tenants
This topic describes user roles within child tenant accounts that permit different levels of access privilege.
When logged into a root tenant, you can assign user roles to control the actions and permissions of users in child tenant accounts. This table summarizes each user role and its supported functionality, indicated by a ✓.
Important
Only a root tenant user with Company Admin privileges can create child tenant accounts and onboard child tenant account users.
Action |
 Company Admin |
 Technical Admin |
 Technical Contact |
 Finance |
 Financial Contact |
 Read Only |
|---|---|---|---|---|---|---|
| Create services | ✓ | ✓ | ✓ | |||
| View services | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Update services | ✓ | ✓ | ✓ | |||
| Delete services | ✓ | ✓ | ||||
| Lock and unlock services | ✓ | |||||
| Create and delete applications | ✓ | ✓ | ||||
| View applications | ✓ | ✓ | ✓ | ✓ | ||
| Update applications | ✓ | ✓ | ✓ | |||
| Create, update, and delete Insights | ✓ | ✓ | ||||
| Create, update, and delete child tenant account | ✓ | ✓ | ||||
| View child tenant account | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View tenant account | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Update tenant account | ✓ | ✓ | ||||
| Update tenant permissions | ✓ | ✓ | ||||
| Create, view, and update users | ✓ | |||||
| Add and delete credentials | ✓ | ✓ | ||||
| Create and delete clusters | ✓ | ✓ | ||||
| View clusters | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Update clusters | ✓ | ✓ | ✓ | |||
| Download Kubernetes configuration | ✓ | ✓ | ||||
| Create and delete repositories | ✓ | ✓ | ||||
| View repositories | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Update repositories | ✓ | ✓ | ✓ | |||
| View usage | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Enable and update billing markets | ✓ | |||||
| View billing markets | ✓ | ✓ | ✓ | |||
| View and pay invoices | ✓ | ✓ | ✓ |
Here are some details to consider when creating user roles:
- Company Admin – We recommend limiting the number of Company Admin users to only those who require full access, but defining at least two Company Admin users for redundancy.
- Technical Admin – This role is for technical users who know how to create and approve orders.
- Technical Contact – This role is for technical users who know how to design and modify services but don’t have the authority to approve orders.
- Finance – Finance users should have a financial responsibility within the organization while also understanding the consequences of their actions if they delete or approve services.
- Financial Contact – This user role is similar to the Finance role without the ability to place and approve orders, delete services, or administer service keys.
- Read Only – Read Only is the most restrictive role. Note that a Read Only user can view service details which you might want to keep secure and private. A user with the read-only role can view service details which might contain information about the service that you want to keep secure and private.
You can add user roles when you create a new user, or you can edit user information to change their role. For details about adding a new user, see Adding and Modifying Child Tenant Account Users.
Note
To edit user credentials, you need Company Admin privileges.
To manage user roles and permissions
- Log in to a root tenant account with Company Admin privileges.
-
Choose Tenant > Settings.
-
Select Users.
-
Click the gear icon
for the user entry and select Edit. -
Select the role for the user.
-
Click Update User.