Roles reference
A team can have any number of roles.
See Manage Teams and Roles. All predefined roles and teams automatically get access to all geographic regions in your Konnect instance.
The following predefined roles are available in Konnect:
API products
Role |
Description |
Admin |
Admin of an existing API product. The admins have all write access permissions related to a API product, API product version, etc. |
Application Registration |
Access to enable or disable application registration for an API Product. |
Creator |
Access to create new API product in API Products. The creator becomes the owner of the API product they create, gaining admin access to the API product. This role does not provide access to creating sub-entities in an API product such as API product versions or API specs, or link the API product version to a Gateway service. See the Admin or Maintainer role. |
Maintainer |
Access to fully manage an API product and its API product versions including app registration, publishing documentation, etc. |
Publisher |
Access to publish an API product to the Dev Portal. |
Viewer |
Read-only access on an API product including API product versions and its configuration, analytics, and documentation. |
Control Planes
Role |
Description |
Admin |
Owner of an existing control plane group. Admins have write access to control plane nodes, and the control plane group’s corresponding data plane nodes. |
Certificate Admin |
Access to configure certificates for an existing control plane group. |
Cloud Gateway Cluster Admin |
Access to all read and write permissions related to cloud-gateways configurations and custom domains. |
Cloud Gateway Cluster Viewer |
Access to read-only permissions to cloud-gateways configurations and custom domains. |
Consumer Admin |
Access to configure consumers for an existing control plane group. |
Creator |
Access to create a new control plane group in Gateway Manager. The creator becomes the owner and admin of the control plane group they create.
This role does not grant access to existing control plane groups, data plane nodes, or their configurations. See the Admin or Deployer roles. |
Deployer |
This role grants full write access to administer services, routes, and plugins necessary to deploy services in Service Catalog. Must also have the Deployer role for the service being deployed. |
Gateway Service Admin |
Access to configure Gateway services for an existing control plane group. |
Key Admin |
Access to configure keys for an existing control plane group. |
Plugin Admin |
Access to configure plugins for an existing control plane group. |
Route Admin |
Access to configure routes for an existing control plane group. |
Serverless Cluster Admin |
Access to all read and write permissions related to serverless cloud-gateways configurations. |
Serverless Cluster Viewer |
Access to read-only permissions to serverless cloud-gateways configurations. |
SNI Admin |
Access to configure SNIs for an existing control plane group. |
Upstream Admin |
Access to configure upstreams for an existing control plane group. |
Vault Admin |
Access to configure vaults for an existing control plane group. |
Viewer |
Read-only access to all the configurations of a control plane group and corresponding data plane nodes. |
Mesh control planes
Role |
Description |
Admin |
Owner of an existing mesh control plane. The owners have all write access related to a control plane and its configuration. |
Creator |
Access to create a new mesh control plane in Mesh Manager. The creator becomes the owner of the control plane they create, gaining admin access to the new control plane.
This role does not grant access to existing control planes or their configurations. See the mesh control plane Admin role. |
Viewer |
Read-only access to all the configurations of a Konnect mesh control plane, including zones, Zone Ingress and Egress, meshes, and RBAC. |
Networks
Role |
Description |
Network Admin |
Access to all read and write permissions related to a network. |
Network Creator |
Access to creating networks. |
Network Viewer |
Access to read-only permissions to networks. |
Service Catalog
Role |
Description |
Discovery Admin |
Access to all read and write permissions related to service discoveries. |
Discovery Viewer |
Access to read-only permissions related to service discoveries. |
Integration Admin |
Can view and edit all integrations (install/authorize). |
Integration Viewer |
Access to read-only permissions to integrations. |
Service Admin |
Can view and edit a select list of services, map resources to those services, and manage all resources and discovery rules. |
Service Creator |
Can create new services, becomes the service admin for any service they create, and can view, edit, and create all resources and discovery rules. |
Service Viewer |
Can view a select list of services and all resources and discovery rules. |
Portals
Role |
Description |
Admin |
Owner of an existing Dev Portal instance. The owner has full write access related to any developers and applications in the organization. |
Appearance Maintainer |
Access the Portal instance and edit its appearance. |
Creator |
Create new Portals. |
Maintainer |
Edit, view, and delete Dev Portal applications, and view developers. |
Product Publisher |
Manage publishing products to a Dev Portal. |
Viewer |
Read-only access to Dev Portal developers and applications. |
Application Auth Strategies
Role |
Description |
Creator |
Create new app auth strategies. |
Maintainer |
Edit one or all app auth strategies. |
Viewer |
Read-only access to one or all app auth strategies. |
DCR
Role |
Description |
Creator |
Create new DCR providers. |
Maintainer |
Edit one or all DCR providers. |
Viewer |
Read-only access to one or all DCR providers. |
Identity
Role |
Description |
Admin |
This role grants full write access to all identity resources. |