Skip to main content
Version: 10.9.x

Console levels and permission management

Assigning different roles and permissions to each Identity that has access to Mia-Platform Console is a key action for defining responsibilities within your platform ecosystem. The Console is based on hierarchical levels and, for each of them, specific permissions and capabilities have been identified and can be assigned.
Let's see how they are configured.

Console Levels

The Console resources are organized in a hierarchical structure on three levels:

  1. Console level is the root level regarding the general configuration of your Console. At this level you can configure resources such as Companies, Project Templates and Marketplace.

  2. Company level is the second hierarchical level. A Company can contain several underlying Projects, which can inherit different kinds of information from the Company without needing further configuration. At this level, License, Clusters, Providers, Users and Service Accounts can be managed. To know more about Company configuration, check out the dedicated documentation section.

  3. Project Level is the third hierarchical level. Projects are the heart of Mia-Platform Console, allowing developers engage in creating new features and building their own platform.

alt text

Identity Capabilities inside Console

Identities can perform a set of predetermined actions along Console levels, in accordance with a set of permissions grouped for each specific role. A brief presentation of the default Roles that can be assigned to each Identity is provided here below:

  • Company Owner: A Company Owner has the ability to manage Company Users and Service Accounts, and has full administrative capabilities on all the Projects (and Runtime Environments) within the Company
  • Project Administrator: A Project Administrator is able to manage identities and all other aspects of a Project, thus being able to perform any actions on all the Runtime Environments of the Project as well
  • Maintainer: A Maintainer can edit both Project configuration and Runtime Environments
  • Developer: A Developer can edit Project configuration and view Runtime Environments
  • Reporter: A Reporter can view Project configuration and Runtime Environments
  • Guest: A Guest has restricted access to data and can only view basic information for a selected subset of resources

Roles can be assigned at three levels regarding the following Console resources:

  • Company
  • Project
  • Runtime Environments

Roles can be assigned at Company level from the Identities portal of the Company Overview section.

The following table describes the capabilities that are granted when assigning a role at Company level:

CapabilitiesPermissions keyGuestReporterDeveloperMaintainerProject AdministratorCompany Owner
View Company basic
Edit Company
Create Projects inside this
View all Projects of this
View all Environments in all Projects of this
Create a service repository in all Projects of this
Commit changes on all Project configurations of this
Manage secreted environment variables for all Projects of this
Trigger deploy on all Environments of all Projects of this Company
Restart pods on all Environments of all Projects of this
Manage dashboards on all Projects of this Company
Manage Identities of this
Edit Project information of all Projects of this
Manage Identities of all Projects of this
Delete this
Delete all Projects of this
Manage Providers of this
View Company Providers
Manage Clusters for this
View Company Clusters
Manage Company Project

Roles can be assigned at both Project and its Runtime Environments levels from the Identities portal of the specific Project Settings Area.


Please note that, inside Project Identities portal, only those Identities on which a Company role has previously been assigned are shown. For each of them, therefore, the permissions inherited from the Company role assignment at the Company level will be visible. In this way, it will be possible to identify which additional permissions among those mentioned in the following table can be assigned at Project and Runtime Environments levels.

CapabilitiesPermissions keyGuestReporterDeveloperMaintainerProject AdministratorCompany Owner
View Project basic informationconsole.project.view
View all Environments of this Projectconsole.project.environment.view
View this Environment of the Projectconsole.environment.view
Create a service repository for this Projectconsole.project.service.repository.create
Commit changes on Project configurationconsole.project.configuration.update
Edit Project informationconsole.project.details.update
Manage secreted environment variablesconsole.project.secreted_variables.manage
Trigger deploy on any Environment of this Projectconsole.project.environment.deploy.trigger
Trigger deploy on this specific Environmentconsole.environment.deploy.trigger
Restart pods on any Project Environmentconsole.project.environment.k8s.pod.delete
Restart pods on this specific Environmentconsole.environment.k8s.pod.delete
Manage dashboards on any Project Environmentconsole.project.environment.dashboard.manage
Manage dashboards on this specific Environmentconsole.environment.dashboard.manage
Manage identities for this Projectconsole.project.users.manage
Delete a single Projectconsole.project.delete

Console Root level permissions

User roles and permissions are manageable from CMS by Console Super Users, which are particular Console Administrators having access to the Console CMS and thus being able to perform actions at Console root level.


Note that Console Super User is NOT included as a default role. Consequently, it can not be assigned from the Identities portal, as it performs actions exclusively at Console root level.

The following table describes the manageable privileges at Console root level that are granted to Console Administrators:

CapabilitiesPermissions key
Create a new
Delete any
Create a new Projectconsole.root.project.create
Edit any Projectconsole.root.project.details.update
Delete any Projectconsole.root.project delete
View all Console resourcesconsole.root.view
Manage identity Roles, Groups and Bindingsconsole.root.user.bind
Create and delete any userconsole.root.user.manage
Create and delete root service accountconsole.root.serviceaccount.manage
Manage all private and public Project Templatesconsole.root.templates.manage
Manage available featuresconsole.root.features.manage

Role binding example

Suppose you have a feature team composed by: 1 Project Manager and 1 Technical Leader, 1 Senior Developer and 2 Junior Developers and 2 Designers. This team works on a single Project with two environments:

  1. Production, on which only the Project Manager, the Technical Leader and Senior Developer can perform actions, and
  2. Staging on which the 2 Junior Developers can perform actions, too.

What you might want could be a similar Role Binding organization:

  • The Project Manager and the Technical Leader may want to have full access to the Project so they can be assigned the Project Administrator Role on the Project resource
  • The Designers should be able to access the Project but they cannot perform any editing action on it, so they can be assigned the Reporter Role on the Project resource
  • The Senior Developers can be assigned the Maintainer Role on the Project
  • The Junior Developers can be assigned the Developer Role on the Project resource and then can be assigned the Maintainer Role only on the Staging environment

Assigning Roles on Resources

When you wish to assign a Role on a specific resource what you have to do is create a binding with a properly configured resource object.


For more information regarding how a binding is defined and how to configure the resources check out the following documentation page.