Permissions Reference
This page provides a comprehensive reference of all available permissions in edgeContinuum. Permissions are used to control what users and groups can do within the platform and are organized by service and resource type.
Understanding Permissions
edgeContinuum uses a relationship-based access control (ReBAC) model where:
- Permissions are granted through role bindings that connect users or groups to roles
- Roles are collections of permissions that can be assigned at organization or project level
- Organization-level permissions can inherit to projects within that organization (marked with ✓ in the Inheritable column)
- Project-level permissions apply only to that specific project
Scope Levels
- Org: Permission can be granted at the organization level (may inherit to projects)
- Project: Permission can be granted at the project level (applies only to that project)
- Org/Project: Permission can be granted at either level
Resource Manager Permissions
Resource manager permissions control access to organizations, projects, users, and groups.
Organization Management
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_organization_get |
Org |
✓ |
View organization details |
resourcemanager_organization_update |
Org |
✗ |
Update organization settings |
resourcemanager_organization_patch |
Org |
✗ |
Patch organization settings |
resourcemanager_organization_delete |
Org |
✗ |
Delete organization |
Project Management
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_project_create |
Org |
✗ |
Create project |
resourcemanager_project_get |
Org/Project |
✓ |
View project details |
resourcemanager_project_list |
Org/Project |
✓ |
List projects |
resourcemanager_project_update |
Org/Project |
✗ |
Update project |
resourcemanager_project_patch |
Org/Project |
✗ |
Patch project |
resourcemanager_project_delete |
Org/Project |
✗ |
Delete project |
Organization Users
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_organization_user_add |
Org |
✗ |
Add user to organization |
resourcemanager_organization_user_list |
Org |
✓ |
List organization users |
resourcemanager_organization_user_get |
Org |
✓ |
View organization user details |
resourcemanager_organization_user_update |
Org |
✗ |
Update organization user |
resourcemanager_organization_user_delete |
Org |
✗ |
Remove user from organization |
Project Users
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_project_user_add |
Project |
✗ |
Add user to project |
resourcemanager_project_user_get |
Project |
✗ |
View project user details |
resourcemanager_project_user_list |
Project |
✗ |
List project users |
resourcemanager_project_user_update |
Project |
✗ |
Update project user |
resourcemanager_project_user_remove |
Project |
✗ |
Remove user from project |
Organization Groups
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_organization_group_add |
Org |
✗ |
Create group in organization |
resourcemanager_organization_group_list |
Org |
✓ |
List organization groups |
resourcemanager_organization_group_get |
Org |
✓ |
View group details |
resourcemanager_organization_group_update |
Org |
✗ |
Update group |
resourcemanager_organization_group_delete |
Org |
✗ |
Delete group |
Project Groups
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_project_group_add |
Project |
✗ |
Add group to project |
resourcemanager_project_group_list |
Project |
✗ |
List project groups |
resourcemanager_project_group_get |
Project |
✗ |
View project group details |
resourcemanager_project_group_update |
Project |
✗ |
Update project group |
resourcemanager_project_group_delete |
Project |
✗ |
Remove group from project |
Group Management
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_group_create |
Org |
✗ |
Create group |
resourcemanager_group_get |
Org |
✓ |
View group details |
resourcemanager_group_list |
Org |
✓ |
List groups |
resourcemanager_group_update |
Org |
✗ |
Update group |
resourcemanager_group_patch |
Org |
✗ |
Patch group |
resourcemanager_group_delete |
Org |
✗ |
Delete group |
Group Users
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_group_user_add |
Org |
✗ |
Add user to group |
resourcemanager_group_user_list |
Org |
✓ |
List group members |
resourcemanager_group_user_delete |
Org |
✗ |
Remove user from group |
Organization Quota Management
| Permission |
Scope |
Inheritable |
Description |
resourcemanager_organization_quota_profile_register |
Org |
✗ |
Register quota profile |
resourcemanager_organization_quota_profile_deregister |
Org |
✗ |
Deregister quota profile |
resourcemanager_organization_quota_profile_update |
Org |
✗ |
Update quota profile |
resourcemanager_organization_quota_profile_get |
Org |
✓ |
View quota profile |
resourcemanager_organization_quota_get |
Org |
✓ |
View organization quota usage |
Infrastructure Permissions
Infrastructure permissions control access to regions, zones, and infrastructure resources.
Regions
| Permission |
Scope |
Inheritable |
Description |
region_create |
Org |
✗ |
Create region |
region_get |
Org |
✓ |
View region details |
region_list |
Org |
✓ |
List regions |
region_update |
Org |
✗ |
Update region |
region_delete |
Org |
✗ |
Delete region |
Zones
| Permission |
Scope |
Inheritable |
Description |
zone_create |
Org |
✗ |
Create zone |
zone_get |
Org |
✓ |
View zone details |
zone_list |
Org |
✓ |
List zones |
zone_update |
Org |
✗ |
Update zone |
zone_delete |
Org |
✗ |
Delete zone |
Infrastructure
| Permission |
Scope |
Inheritable |
Description |
infra_create |
Org |
✗ |
Create infrastructure |
infra_get |
Org |
✓ |
View infrastructure details |
infra_list |
Org |
✓ |
List infrastructures |
infra_update |
Org |
✗ |
Update infrastructure |
infra_delete |
Org |
✗ |
Delete infrastructure |
infra_openstack_* |
Org |
✓ |
OpenStack compatibility aliases |
Infrastructure Profiles
| Permission |
Scope |
Inheritable |
Description |
infra_profile_create |
Org |
✗ |
Create infrastructure profile |
infra_profile_get |
Org |
✓ |
View infrastructure profile |
infra_profile_list |
Org |
✓ |
List infrastructure profiles |
infra_profile_update |
Org |
✗ |
Update infrastructure profile |
infra_profile_delete |
Org |
✗ |
Delete infrastructure profile |
Managed Services Permissions
Managed services permissions control access to Kubernetes clusters and virtual machines.
Managed Kubernetes Service (MKS)
| Permission |
Scope |
Inheritable |
Description |
mks_create |
Org/Project |
✓ |
Create Kubernetes cluster |
mks_get |
Org/Project |
✓ |
View cluster details |
mks_list |
Org/Project |
✓ |
List clusters |
mks_update |
Org/Project |
✗ |
Update cluster |
mks_delete |
Org/Project |
✗ |
Delete cluster |
Managed VM Service (MVMS)
| Permission |
Scope |
Inheritable |
Description |
mvms_create |
Org/Project |
✓ |
Create VM |
mvms_get |
Org/Project |
✓ |
View VM details |
mvms_list |
Org/Project |
✓ |
List VMs |
mvms_update |
Org/Project |
✗ |
Update VM |
mvms_delete |
Org/Project |
✗ |
Delete VM |
Application Orchestration Permissions
Application orchestration permissions control access to managed application resources through the Edge Orchestrator (MEO).
Application Templates
| Permission |
Scope |
Inheritable |
Description |
meo_application_template_get |
Org/Project |
✓ |
View application template |
meo_application_template_list |
Org/Project |
✓ |
List application templates |
meo_application_template_create |
Org/Project |
✓ |
Create application template |
meo_application_template_update |
Org/Project |
✗ |
Update application template |
meo_application_template_patch |
Org/Project |
✗ |
Patch application template |
meo_application_template_delete |
Org/Project |
✗ |
Delete application template |
Application Instances
| Permission |
Scope |
Inheritable |
Description |
meo_application_instance_get |
Org/Project |
✓ |
View application instance |
meo_application_instance_list |
Org/Project |
✓ |
List application instances |
meo_application_instance_create |
Org/Project |
✓ |
Create application instance |
meo_application_instance_update |
Org/Project |
✗ |
Update application instance |
meo_application_instance_patch |
Org/Project |
✗ |
Patch application instance |
meo_application_instance_delete |
Org/Project |
✗ |
Delete application instance |
Application Clusters
| Permission |
Scope |
Inheritable |
Description |
meo_application_cluster_get |
Org/Project |
✓ |
View application cluster |
meo_application_cluster_list |
Org/Project |
✓ |
List application clusters |
meo_application_cluster_create |
Org/Project |
✓ |
Create application cluster |
meo_application_cluster_update |
Org/Project |
✗ |
Update application cluster |
meo_application_cluster_patch |
Org/Project |
✗ |
Patch application cluster |
meo_application_cluster_delete |
Org/Project |
✗ |
Delete application cluster |
meo_application_cluster_getfleet |
Org/Project |
✓ |
Get cluster fleet |
Cluster Fleets
| Permission |
Scope |
Inheritable |
Description |
meo_application_clusterfleet_get |
Org/Project |
✓ |
View cluster fleet |
meo_application_clusterfleet_list |
Org/Project |
✓ |
List cluster fleets |
meo_application_clusterfleet_create |
Org/Project |
✓ |
Create cluster fleet |
meo_application_clusterfleet_update |
Org/Project |
✗ |
Update cluster fleet |
meo_application_clusterfleet_patch |
Org/Project |
✗ |
Patch cluster fleet |
meo_application_clusterfleet_delete |
Org/Project |
✗ |
Delete cluster fleet |
meo_application_clusterfleet_addcluster |
Org/Project |
✗ |
Add cluster to fleet |
meo_application_clusterfleet_removecluster |
Org/Project |
✗ |
Remove cluster from fleet |
Cluster Fleet Instances
| Permission |
Scope |
Inheritable |
Description |
meo_application_clusterfleetinstance_get |
Org/Project |
✓ |
View cluster fleet instance |
meo_application_clusterfleetinstance_list |
Org/Project |
✓ |
List cluster fleet instances |
meo_application_clusterfleetinstance_create |
Org/Project |
✓ |
Create cluster fleet instance |
meo_application_clusterfleetinstance_patch |
Org/Project |
✗ |
Patch cluster fleet instance |
meo_application_clusterfleetinstance_delete |
Org/Project |
✗ |
Delete cluster fleet instance |
Permission Inheritance
Some organization-level permissions automatically apply to projects within that organization. This inheritance happens through the authorization model:
How Inheritance Works
Organization (acme-corp)
└─ mks_get (inheritable ✓)
├─ Project A (backend-api)
│ └─ Inherits: mks_get
│
└─ Project B (frontend-app)
└─ Inherits: mks_get
When a user or group has an inheritable organization-level permission:
- They automatically have that permission in all projects
- Project-level permissions can still grant or restrict access further
- Permissions are checked through multiple paths: direct project grants, group membership, and organization inheritance
Permission Resolution
When checking if a user can perform an action on a project, the system checks:
- Direct role bindings on the project
- Group memberships and their role bindings on the project
- Organization-level role bindings (inherited permissions)
- Organization-level group role bindings
The user has access if any of these paths grants the required permission.
Special Roles
Super Admin
The super_admin role has special access:
- Grants all available permissions through
all_permissions
- Applies at organization level with full inheritance to projects
- Intended for organization owners and administrators
Best Practices
- Use roles for consistency: Create custom roles for common job functions rather than assigning individual permissions
- Leverage groups: Assign roles to groups rather than individual users for easier management
- Apply least privilege: Grant only the permissions needed for users to perform their work
- Plan inheritance: Use organization-level inheritable permissions to establish baseline access, then use project-level permissions for fine-grained control
- Audit regularly: Review who has what permissions to ensure they align with current team structure and responsibilities
- Use meaningful role names: Create role names that clearly describe their purpose (e.g., "project-viewer", "infrastructure-admin")