You are browsing documentation for an outdated version. See the
latest documentation here.
RBAC in Kong Manager
In addition to authenticating Admins and segmenting Workspaces,
Kong Gateway has the ability to enforce Role-Based Access Control
(RBAC) for all resources with the use of Roles assigned to Admins.
As the Super Admin (or any Role with read and write
access to the
/rbac endpoints), it is possible to
create new Roles and customize Permissions.
In Kong Manager, RBAC affects how Admins are able to navigate
through the application.
Kong includes Role-Based Access Control (RBAC). Every Admin using Kong Manager
will need an assigned Role based on the resources they have Permission to access.
When a Super Admin starts Kong for the first time, the
default Workspace will
include three default Roles:
super-admin. The three
Roles have Permissions related to every Workspace in the cluster.
Similarly, if a Role is confined to certain Workspaces, the Admin assigned to it
will not be able to see either the overview or links to other Workspaces.
If a Role does not have Permission to access entire endpoints,
the Admin assigned to the Role will not be able to see the related navigation links.
Important: Although a default Admin has full permissions with every
endpoint in Kong, only a Super Admin has the ability to assign and modify RBAC Permissions. An Admin is not able to modify their own Permissions or delimit a Super Admin’s Permissions.
RBAC in Workspaces
RBAC Roles and Permissions will be specific to a Workspace if they are assigned
from within one. For example, if there are two Workspaces, Payments and
Deliveries, an Admin created in Payments will not have access to any
endpoints in Deliveries.
When a Super Admin creates a new Workspace, there are three default Roles that
mirror the cluster-level Roles, and a fourth unique to each Workspace:
These roles can be viewed in the Teams tab under Roles
Important: Any Role assigned in the Default Workspace will have
Permissions applied to all subsequently created Workspaces. A Super Admin
default has RBAC Permissions across all Workspaces.