Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
|
Kong Gateway
3.7.x
github-edit-pageEdit this page
report-issueReport an issue
You are browsing documentation for an older version. See the latest documentation here.

Create an RBAC User

Admins vs. RBAC users

  Admin API Kong Manager
Admins ✔️ ✔️
RBAC users ✔️ X

An RBAC user has the ability to access the Kong Gateway Admin API. The permissions assigned to their role will define the types of actions they can perform with various Admin API objects.

An admin, like an RBAC user, has the ability to access the Kong Gateway Admin API. The admin also has the ability log in to Kong Manager. Like an RBAC user, an admin’s role determines the types of actions it can perform, except that they also have the ability to benefit from Kong Manager’s interface and visualizations.

If creating a service account for Kong Gateway, e.g., for a machine as part of an automated process, then an RBAC User is adequate.

If creating a personal account for Kong Gateway, then admin may be preferable since it also has access to Kong Manager.

Prerequisites

Add an RBAC user in Kong Manager

  1. From the dashboard, click the Teams tab.

  2. On the Teams page, click the RBAC Users tab.

  3. Using the dropdown menu, select which Workspace the new user has access to.

    Note: The Default Workspace is global, meaning the RBAC user with access to default has access to entities across all other Workspaces. This workspace assignment is useful for administrative and auditing accounts, but not for members of specific teams.

  4. Click the Add New User button to open the registration form.

  5. Fill out the Add New User registration form.

    • The name of the RBAC user must be globally unique, even if two users are in different workspaces, and it can’t have the same name as an admin account. These naming conventions are important if using OIDC, LDAP, or another external method of identity and access management.
    • The RBAC user account is enabled by default. If you want the RBAC user account to start in a disabled state and enable it later, uncheck the Enabled box.

  6. Click the Add/Edit Roles button. Select the role (or roles) desired for the new RBAC User.

    • If the RBAC user has no roles assigned, it will not have permission to access any objects.
    • An RBAC user’s role assignments may be altered later if needed.
    • The roles can only belong to one workspace, as selected in Step 3.
    • To provide an RBAC user with access to objects in multiple workspaces, see Step 3.

  7. Click Create User to complete the user registration.

    The page will automatically redirect back to the Teams page, where the new user is listed.