Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Org Management
  • Teams And Roles
  • Roles reference
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • Introduction
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Private Connections to Other Cloud Providers
      • Create a private connection with AWS PrivateLink
    • Geographic Regions
    • Centralized consumer management
    • Compatibility
    • Stages of Software Availability
    • Release Notes
    • Support
      • Control Plane Upgrades FAQ
      • Supported Installation Options
  • Get Started
    • Overview
    • Add your API
    • Migrating a Self-Managed Kong Gateway into Konnect
  • Gateway Manager
    • Overview
    • Dedicated Cloud Gateways
      • Overview
      • Provision a Dedicated Cloud Gateway
      • Securing Backend Traffic
      • Transit Gateways
      • Azure VNET Peering
      • Custom Domains
      • Custom Plugins
      • Data plane logs
    • Serverless Gateways
      • Overview
      • Provision a serverless Gateway
      • Securing Backend Traffic
      • Custom Domains
    • Data Plane Nodes
      • Installation Options
      • Upgrade a Data Plane Node
      • Verify a Data Plane Node
      • Secure Control Plane/Data Plane Communications
      • Renew Data Plane Certificates
      • Parameter Reference
      • Using Custom DP Labels
    • Control Plane Groups
      • Overview
      • Working with Control Plane Groups
      • Migrate Configuration into Control Plane Groups
      • Conflicts in Control Planes
    • Kong Gateway Configuration in Konnect
      • Overview
      • Manage Plugins
        • Overview
        • Adding Custom Plugins
        • Updating Custom Plugins
        • How to Create Custom Plugins
      • Create Consumer Groups
      • Secrets Management
        • Overview
        • Konnect Config Store
        • Set Up and Use a Vault in Konnect
      • Manage Control Plane Configuration with decK
    • Active Tracing
      • Overview
    • KIC Association
    • Backup and Restore
    • Version Compatibility
    • Troubleshooting
  • Mesh Manager
    • Overview
    • Create a mesh with the Kubernetes demo app
    • Federate a zone control plane to Konnect
    • Migrate a self-managed zone control plane to Konnect
  • Service Catalog
    • Overview
    • Integrations
      • Overview
      • Datadog
      • GitHub
      • GitLab
      • PagerDuty
      • SwaggerHub
      • Traceable
      • Slack
    • Scorecards
  • API Products
    • Overview
    • Product Documentation
    • Productize a Service
  • Dev Portal
    • Overview
    • Dev Portal Configuration Preparation
    • Create a Dev Portal
    • Sign Up for a Dev Portal Account
    • Publish an API to Dev Portal
    • Access and Approval
      • Manage Developer Access
      • Manage Developer Team Access
      • Add Developer Teams from IdPs
      • Manage Application Registrations
      • Configure generic SSO for Dev Portal
      • Configure Okta SSO for Dev Portal
    • Application Lifecycle
    • Register and create an application as a developer
    • Enable and Disable App Registration for API Product Versions
    • Dynamic Client Registration
      • Overview
      • Okta
      • Curity
      • Auth0
      • Azure
      • Custom IdP
    • Portal Management API Automation Guide
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Portal Customization
      • Overview
      • About Self-Hosted Dev Portal
      • Host your Dev Portal with Netlify
      • Custom Domains
    • Dev Portal SDK
    • Troubleshoot
  • Advanced Analytics
    • Overview
    • Dashboard
    • Explorer
    • Analyze API Usage and Performance with Reports
    • Requests
  • Org Management
    • Plans and Billing
    • Authentication and Authorization
      • Overview
      • Teams
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Manage System Accounts
      • Personal Access Tokens
      • Social Identity Login
      • Org Switcher
      • Configure Generic SSO
      • Configure Okta SSO
      • Login Sessions Reference
      • Troubleshoot
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Account and Org Deactivation
  • API
    • Overview
    • API Request API (Beta)
      • API Spec
    • API Products API
      • API Spec
    • Audit Logs API
      • API Spec
      • Audit Log Webhooks
    • Control Plane API
      • API Spec
    • Control Plane Configuration API
      • API Spec
    • Cloud Gateways API
      • API Spec
    • Identity API
      • API Spec
      • Identity Integration Guide
      • SSO Customization
    • Konnect Search API (Beta)
      • API Spec
    • Mesh Manager API
      • API Spec
      • Kong Mesh API Reference
    • Portal Client API
      • API Spec
    • Portal Management API
      • API Spec
    • Reference
      • Filtering
      • API Errors
  • Reference
    • Labels
    • Plugin Ordering Reference
    • Konnect Search
    • Terraform Provider
    • Audit Logs
    • Verify audit log signatures
    • IdP SAML attribute mapping
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • API products
  • Control Planes
  • Mesh control planes
  • Networks
  • Service Catalog
  • Portals
  • Application Auth Strategies
  • DCR
  • Identity

Roles reference

A team can have any number of roles. See Manage Teams and Roles. All predefined roles and teams automatically get access to all geographic regions in your Konnect instance.

The following predefined roles are available in Konnect:

API products

Role Description
Admin Admin of an existing API product. The admins have all write access permissions related to a API product, API product version, etc.
Application Registration Access to enable or disable application registration for an API Product.
Creator Access to create new API product in API Products. The creator becomes the owner of the API product they create, gaining admin access to the API product. This role does not provide access to creating sub-entities in an API product such as API product versions or API specs, or link the API product version to a Gateway service. See the Admin or Maintainer role.
Maintainer Access to fully manage an API product and its API product versions including app registration, publishing documentation, etc.
Publisher Access to publish an API product to the Dev Portal.
Viewer Read-only access on an API product including API product versions and its configuration, analytics, and documentation.

Control Planes

Role Description
Admin Owner of an existing control plane group. Admins have write access to control plane nodes, and the control plane group’s corresponding data plane nodes.
Certificate Admin Access to configure certificates for an existing control plane group.
Cloud Gateway Cluster Admin Access to all read and write permissions related to cloud-gateways configurations and custom domains.
Cloud Gateway Cluster Viewer Access to read-only permissions to cloud-gateways configurations and custom domains.
Consumer Admin Access to configure consumers for an existing control plane group.
Creator Access to create a new control plane group in Gateway Manager. The creator becomes the owner and admin of the control plane group they create.

This role does not grant access to existing control plane groups, data plane nodes, or their configurations. See the Admin or Deployer roles.
Deployer This role grants full write access to administer services, routes, and plugins necessary to deploy services in Service Catalog. Must also have the Deployer role for the service being deployed.
Gateway Service Admin Access to configure Gateway services for an existing control plane group.
Key Admin Access to configure keys for an existing control plane group.
Plugin Admin Access to configure plugins for an existing control plane group.
Route Admin Access to configure routes for an existing control plane group.
Serverless Cluster Admin Access to all read and write permissions related to serverless cloud-gateways configurations.
Serverless Cluster Viewer Access to read-only permissions to serverless cloud-gateways configurations.
SNI Admin Access to configure SNIs for an existing control plane group.
Upstream Admin Access to configure upstreams for an existing control plane group.
Vault Admin Access to configure vaults for an existing control plane group.
Viewer Read-only access to all the configurations of a control plane group and corresponding data plane nodes.

Mesh control planes

Role Description
Admin Owner of an existing mesh control plane. The owners have all write access related to a control plane and its configuration.
Creator Access to create a new mesh control plane in Mesh Manager. The creator becomes the owner of the control plane they create, gaining admin access to the new control plane.

This role does not grant access to existing control planes or their configurations. See the mesh control plane Admin role.
Viewer Read-only access to all the configurations of a Konnect mesh control plane, including zones, Zone Ingress and Egress, meshes, and RBAC.

Networks

Role Description
Network Admin Access to all read and write permissions related to a network.
Network Creator Access to creating networks.
Network Viewer Access to read-only permissions to networks.

Service Catalog

Role Description
Integration Admin Can view and edit all integrations (install/authorize).
Integration Viewer Access to read-only permissions to integrations.
Scorecard Viewer Access to read-only permissions to scorecards.
Scorecard Admin Can view and edit Scorecards.
Service Admin Can view and edit a select list of Service Catalog services, map resources to those services, manage all resources, and has read-only access to all integrations and integration instances.
Service Creator Can create new Service Catalog services, becomes the Service Admin for any service they create, and can view and edit all resources. Includes read-only access to all integrations and integration instances.

This role does not grant access to existing services or their configurations. See the Service Admin role.

This role does not grant write access to integration instances. See the Integration Admin role.
Service Viewer Can view a select list of services and all resources and discovery rules.

Portals

Role Description
Admin Owner of an existing Dev Portal instance. The owner has full write access related to any developers and applications in the organization.
Appearance Maintainer Access the Portal instance and edit its appearance.
Creator Create new Portals.
Maintainer Edit, view, and delete Dev Portal applications, and view developers.
Product Publisher Manage publishing products to a Dev Portal.
Viewer Read-only access to Dev Portal developers and applications.

Application Auth Strategies

Role Description
Creator Create new app auth strategies.
Maintainer Edit one or all app auth strategies.
Viewer Read-only access to one or all app auth strategies.

DCR

Role Description
Creator Create new DCR providers.
Maintainer Edit one or all DCR providers.
Viewer Read-only access to one or all DCR providers.

Identity

Role Description
Admin This role grants full write access to all identity resources.
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025