Roles and permissions

To give users access to projects and services in your organizations, you grant them permissions and roles:

Permissions: Actions that a principal can perform on a resource or group of resources.
Roles: Sets of permissions that you can assign to a principal.

Principals are organization users, application users, and groups.

You can grant access to principals at the organization, organizational unit, and project level. To give users access to a specific service, create service users.

Roles and permissions are cumulative. This means that a user's effective access is the combination of all roles and permissions granted to them at every level. This includes roles and permissions granted directly to the user and those granted to the groups they are a member of.

For example, if you grant a user the project:services:write permission at the organization level, they have write access to all services in all projects in the organization. If you also assign the user the read_only role on a specific project, they still have write access to the services in that project. The less permissive role does not negate the more permissive permission.

Organization roles and permissions

Roles and permissions at the organization level apply to the organization and all units, projects, and services within it.

Organization roles

Console name API name Allowed actions

Organization member

None

Console name	API name	Allowed actions
Organization member	None	This is the default role for all organization users. You cannot grant this role to users. All non-managed organization users can: Edit their profiles. Create organizations. Leave organizations. Add allowed authentication methods. Generate and revoke personal tokens, if allowed by the authentication policy. Enable and disable feature previews. Managed users have more restrictions.
Super admin	None	Completely unrestricted access to all organization resources and settings, including: all units and projects, billing information, the authentication policy, other super admin, organization users, application users, groups, domains, and identity providers. Rename the organization. Delete the organization.
Admin	`role:organization:admin`	Full access to the organization. View and change billing information. Change the authentication policy. Create and delete organizational units and projects. Move projects within an organization and to other organizations. Invite, deactivate, and remove organization users. Create, edit, and delete groups. Create and delete application users and their tokens. Add and remove domains. Add, enable, disable, and remove identity providers. Cannot delete an organization or manage its super admin. Users who are granted this role on the unit level can: Create and manage projects within the unit. Grant users and groups permission to the unit.

This is the default role for all organization users. You cannot grant this role to users.

All non-managed organization users can:

Edit their profiles.
Create organizations.
Leave organizations.
Add allowed authentication methods.
Generate and revoke personal tokens, if allowed by the authentication policy.
Enable and disable feature previews.

Managed users have more restrictions.

Super admin

None

Completely unrestricted access to all organization resources and settings, including: all units and projects, billing information, the authentication policy, other super admin, organization users, application users, groups, domains, and identity providers.
Rename the organization.
Delete the organization.

Admin

role:organization:admin

Full access to the organization.
View and change billing information.
Change the authentication policy.
Create and delete organizational units and projects.
Move projects within an organization and to other organizations.
Invite, deactivate, and remove organization users.
Create, edit, and delete groups.
Create and delete application users and their tokens.
Add and remove domains.
Add, enable, disable, and remove identity providers.

Cannot delete an organization or manage its super admin.

Users who are granted this role on the unit level can:

Create and manage projects within the unit.
Grant users and groups permission to the unit.

Organization permissions

Console name	API name	Allowed actions
Manage application users	`organization:app_users:write`	Create, edit, and delete application users. View all application users. Generate tokens for application users that are not super admin and have not been granted any permissions. Revoke application tokens. List all application tokens.
View organization audit log	`organization:audit_logs:read`	View the audit log. This permission is in development and not fully implemented in the Console.
View billing	`organization:billing:read`	View all billing groups, billing addresses, and payment methods. View and download invoices. This permission is in development and not fully implemented in the Console.
Manage billing	`organization:billing:write`	Create, edit, and delete billing groups. Add, edit, and delete payment methods. Add, edit, and delete addresses. View and download invoices. This permission is in development and not fully implemented in the Console.
Manage domains	`organization:domains:write`	Add, edit, and remove domains. View all organization domains.
Manage groups	`organization:groups:write`	Create and delete groups. Rename groups and update group descriptions. Add organization and application users to groups that have not been granted any permissions. Remove organization and application users from groups.
View organization networking	`organization:networking:read`	View all organization VPCs.
Manage organization networking	`organization:networking:write`	Add, edit, and remove organization VPCs. Create and manage VPC peering connections.
Manage projects	`organization:projects:write`	Create and delete projects. Assign projects to billing groups. Add and remove project tags. Cannot otherwise access or move the project or its services.
Manage organization users	`organization:users:write`	Invite new users to the organization. View all invited users. Remove user invites. Deactivate, edit and delete managed users, including organization admin. Remove non-managed users from the organization, including organization admin. Reset passwords for managed users. View all authentication methods for an organization user. Revoke tokens for managed users. View all tokens generated by managed users.

Project roles and permissions

You can grant the following roles and permissions to principals. Roles and permissions granted at the project level apply to the project and all services within it. Project roles and permissions granted at the unit level apply to all projects and services within the unit.

These permissions apply to the project API endpoint /v1/organization/{organization_id}/projects.

Project roles

Console name	API name	Permissions
Admin	`admin`	Full access to the project except billing settings. Full access to all of the services in the project.
Developer	`developer`	View project event log. View project tags. View all services in the project. View project permissions. View service users. View project VPCs. Create databases. View service connection information. View integration endpoints. Get the project's software bill of materials download link. Create and change service database users. View static IP addresses. Remove Aiven for OpenSearch® indexes. Create and change Aiven for Apache Kafka® topics. Create and change Aiven for PostgreSQL® connection pools.
Operator	`operator`	Add, edit, and delete project tags. View project tags. View project permissions. Create, edit, and delete services and their configuration. Add and remove dynamic disk sizing and tiered storage. Power on and off services. Create a fork of a service. Enable and disable termination protection. Add and remove service contacts. Add, edit, and delete service tags. View service tags. Change clouds and regions. Change deployment models. Perform service maintenance updates. Create, edit, and delete project VPCs and peering connections. Update IP allowlists. Change the network configuration options. View all project VPCs. List all peering connections. View project event log. Get the project's software bill of materials report download link. Create, edit, and delete integration endpoints. Enable and disable service integrations. View integration endpoints. View all service integrations for the project, including integrations with services in other projects. View service users. Manage service users. View service user credentials. View the list of service backups. Configure backup settings. View service logs. Create, edit, delete, associate and dissociate static IP addresses.
Read only	`read_only`	View project event log. View project tags. View project permissions. View all services and their configuration. Cannot view Kafka Connect connector configurations. Viewing connector configurations requires the `service:data:write` permission because they can contain secrets in plain text. View integration endpoints. View static IP addresses.
Maintain services	`role:services:maintenance`	Perform service maintenance updates. Change maintenance windows. Upgrade service versions.
Recover services	`role:services:recover`	View all details for services in a project. Add and remove dynamic disk sizing and tiered storage. Change service plans. Create a fork of a service. Promote read replicas.

Project permissions

Console name	API name	Allowed actions
View project audit logs	`project:audit_logs:read`	View the logs for the project. View all services in the project.
View project integrations	`project:integrations:read`	View all integration endpoints for the project. View all service integrations for the project, including integrations with services in other projects.
Manage project integrations	`project:integrations:write`	Add and remove integration endpoints. Enable and disable service integrations. Create services to integrate an existing service with. Read and write integration secrets.
View project networking	`project:networking:read`	View all project VPCs. List all peering connections.
Manage project networking	`project:networking:write`	Create, edit, and delete project VPCs and peering connections. View all project VPCs and peering connections.
View project permissions	`project:permissions:read`	View all users granted permissions to a project.
View services	`project:services:read`	View all details for services in a project, except the service logs and metrics.
Manage services	`project:services:write`	Create and delete services. Power on and off services. Add and remove dynamic disk sizing and tiered storage. Change service plans. Change deployment models. Change clouds and regions. Update IP allowlists. Change the network configuration options. Add, edit, and delete service tags. Enable and disable termination protection. Configure backup settings. Add and remove service contacts. Create a fork of a service.
Manage service configuration	`service:configuration:write`	Change clouds and regions. Change deployment models. Update IP allowlists. Change the network configuration options. Add and remove service tags. Enable and disable termination protection. Configure backup settings. Add and remove service contacts.
Access data	`service:data:write`	Perform service queries through the API and Console. View query statistics and current queries. Manage service-specific features like Kafka Topics and Schemas, PostgreSQL connection pools, and OpenSearch indexes.
View service logs	`service:logs:read`	View logs for all services in the project. Service logs may contain sensitive information.
View configuration secrets	`service:secrets:read`	Read service configuration secrets such as keys. View service users.
Manage service users	`service:users:write`	Create and delete service users. View service users. View, update, and reset connection information for services. View service user credentials. Manage service user credentials. View all services in a project.

Manage permissions

Organization roles and permissions​

Organization roles​

Organization permissions​

Project roles and permissions​

Project roles​

Project permissions​