Skip to content

How access control is evaluated

Project Membership

A user "belongs" to a project if there exists at least one role binding that links the user to any role and either:

  • a specific project, or
  • no project (global role binding, i.e., applies the permissions of the role to all projects).

Permission checks

Every access decision—view, edit, admin—is based on the existence of a role binding that grants the required permission on the relevant scope (project or global).

  • A project-level admin permission satisfies any project-level permission requirement.
  • A global admin permission satisfies both global and any project-level permission requirements.

Active Project

Selecting the Active Project on the web application

When the feature flag is enabled, a new selector for the currently selected project is available in the page breadcrumb. This selector is used to filter the resources displayed in the different pages. Changing it reloads the current view with the selected Active Project.

Active Project selector

The "Default" Project

The "Default" project is the project that is selected when no project is selected. When selected, the different pages will display any resources the user has access to, regardless of the project they are in.

Actions on the default project require global role bindings.