Roles and Permissions in User Management

System Defined Roles

Facets provides a few system defined roles out of the box for a quick start to user management.

You can find the details of the roles in the table below.

Base RoleRoles
CC-ADMINAll pages, buttons and actions are accessible to the ADMIN role, including those in the DEVELOPER and VIEWER roles.
DEVELOPERThe following actions are available for DEVELOPER role in the listed screens:
Environments screen: Pause/Resume Releases
Secrets and Variables screen: Edit an Entry and Submit Changes.
Releases screen: Configure Release and Selective Release, Schedule Release and Unlock State.
Overrides screen: Add and Delete Override.
Backup screen: Create Snapshots.
Provided Resources screen: Update Resources.
Template Inputs screen: Create New Tenants and Edit Tenants.
Alerts Centre screen: Silence Alert
• All the access privileges of VIEWER role.
VIEWERView-Only access.
CC-GUESTUsually gets assigned for a new user by default. Useful for Admin to filter and assign a role later.
CLUSTER_ADMINPerform Releases in an Environment.

Custom Roles

  • Admins can create and edit Custom Roles under User Management.
Create Custom Role button

Create Custom Role button

  • Each role can be assigned with specific Granular Permissions.
Assign specific Permissions for a Custom Role

Assign specific Permissions for a Custom Role



Refer to Granular Permissions section for a description of all permissions.

  • You can also Clone Permissions from an existing role (Custom or System Defined) for easily managing permissions.

Additional Roles



A User Group can be assigned Additional Roles that give access to specific actions in your Control Plane.

Additional RolesDescription
K8S_READERCan download K8s credentials and do readonly operations.
K8S_DEBUGGERCan download K8s credentials and do write operations on Kubernetes.
CLI_ARTIFACT_PUSHCan push artifacts using Facets CLI.
Additions Roles in Create/Edit User Group screen

Additions Roles in Create/Edit User Group screen

Granular Permissions for RBAC roles

RBAC roles defined in Facets have a list of associated permissions that grant the user privileges to perform certain actions as listed in Base Roles table. You can find a comprehensive list of permissions listed below.

ALERTS_CONFIGUREGrants permission to configure alerts.
APPLICATION_ROLLING_RESTARTGrants permission to initiate a rolling restart for an application.
ARTIFACTORY_WRITEGrants permissions to create and edit artifactories.
ARTIFACTS_DELETEGrants permissions to delete artifacts.
ARTIFACTS_WRITEGrants Write permissions for actions related to artifacts.
CHANNEL_WRITEGrants permission to create and edit channels.
ENVIRONMENT_CONFIGUREGrants permission to configure environments.
ENVIRONMENT_DELETEGrants permission to delete environments.
ENVIRONMENT_DESTROYGrants permission to destroy environments.
ENVIRONMENT_LAUNCHGrants permission to launch environments.
ENVIRONMENT_WRITEGrants permission to create, edit and configure environments.
OAUTH_INTEGRATION_DELETEGrants permission to delete OAuth integration.
OAUTH_INTEGRATION_WRITEGrants permission to add and edit OAuth integration.
STACK_CONFIGUREGrants permission to pause and unpause releases in an environment.
STACK_WRITEGrants permission to add and edit blueprints.
SUBSCRIPTION_DELETEGrants permission to delete subscriptions.
SUBSCRIPTION_WRITEGrants permission to create and edit subscriptions.
TEMPLATE_WRITEGrants permission to create and edit tenants.
USER_WRITEGrants permission to create and edit user and also edit passwords.