Security principal

A security principal refers to an entity that is authenticated and authorized to perform various operations and access resources in RisingWave Cloud. You can assign a role to any of these security principals:

  • Service account: Typically represents an application. It accesses RisingWave Cloud resources on the application’s behalf, using API keys for authentication.
  • User: Typically represents an individual user who interacts with resources via the user interface.

Role permissions and limitations

Below are permissions and limitations for roles to ensure that each service account or user has appropriate access tailored to their responsibilities.

To grant a role to your account, go to Organization > Role management, then click Edit roles on the right side.

RolePermissionsLimitations
OrganizationAdminFull control over tenants and related resources.Management of service accounts, users, invitations, and RoleBinding.Access to all billing resources.Cannot modify their own admin RoleBinding.
OrganizationMemberView access to all tenants.View service accounts, users, and invitations.No permissions for tenant-related operations (create, update, delete).No permissions for service accounts, users, or invitations operations (create, update, delete).No access to billing resources.
BillingManagerFull access to all billing resources.No access to any other operations outside of billing.
ProjectAdminFull access to operations related to any tenants.No access to billing operations, service accounts, users, or invitations.

RoleBinding

RoleBindings ensure that only authorized entities have access to resources and operations based on their defined roles.

Prerequisite

Only the OrganizationAdmin has the permission to manage user’s RoleBinding.

Scenario

User scenariosDescription
Invite a user to the organizationCurrently, you can only invite a new user as an OrganizationMember. If you want to grant more permissions to the target user, please go to Organization > Role management > Users to modify after the user accepts the invitation.
Create a service account in the organizationThe service account RoleBinding is used for authorization when accessing Cloud APIs using the service account’s API keys. By default, the service account is assigned the read-only OrganizationMember role. If you need to assign more permissions to the service account, please go to Organization > Role management > Service Accounts to add other roles.
Delete or add RoleBinding for a userGo to Organization > Role management > Users, click the corresponding Edit Roles of the specific role. A popup window will appear, allowing you to uncheck the role or select the new ones. Click Confirm to save the change.
Delete or add RoleBinding for the service accountGo to Organization > Role management > Users, click the corresponding Edit Roles of the specific service account. A popup window will appear, allowing you to uncheck the role or select the new ones. Click Confirm to save the change.

Every organization needs at least one OrganizationAdmin user. Any attempt to delete the last OrganizationAdmin RoleBinding will fail.