Tanzu Platform SaaS

About organization and service roles in Tanzu Platform

Last Updated February 19, 2025

This topic describes the roles you can assign to users to grant them permissions to access and use Tanzu Platform SaaS.

Tanzu Platform uses role-based access. There are three types of roles:

  • Organization roles
  • Service roles
  • Project roles

All users must have at least the organization member organization role to access the Tanzu Platform cloud services console and at least the Tanzu Platform viewer service role to open and view the Tanzu Platform UI.

The roles and permissions are explained in more detail in the following sections.

Organization roles

Organization roles provide access to the Tanzu Platform cloud services console. The roles have particular permissions. The following table provides an overview of the key roles. For more information about the how the roles affect general organization permissions, see Tanzu Platform cloud services organization roles.

RolePermissions
Organization ownerUsers can open the cloud services console, assign organization roles to all users, and assign service roles to all organization members, including to themselves
Organization administratorUsers can open the cloud services console and assign service roles to organization members
Organization memberUsers can open the cloud services console. To open a service, they must have a service role assigned by a owner or administrator.

Service roles

Service roles control what you can see and do in the Tanzu Platform UI. Some of the services that are presented in the Tanzu Platform UI require additional service roles. These roles are defined in the cloud services console by an organization owner or administrator.

You must give users at least the Tanzu Platform viewer role to open the Tanzu Platform UI.

The following table provides an overview of the service roles.

RoleDescription
Tanzu Platform AdminUsers can fully manage the resources, making changes where needed
Tanzu Platform ViewerUsers can see resources but cannot make changes
Tanzu Platform Developer BundleUsers have the Tanzu Platform Developer role as well as developer roles of other Tanzu services
Tanzu Platform Admin BundleUsers have the Tanzu Platform admin role and read-only roles for other Tanzu services unless another role is specifically granted for the service
Tanzu Platform Viewer BundleUsers have the Tanzu Platform viewer role and read-only roles for other Tanzu services unless another role is specifically granted for the service

How service roles interact with Project roles

A Project is a collection of resources to which you can assign users with different roles. For example, you might assign a user a Tanzu Platform Viewer role for the service, but you can assign them a Project administrator role to allow them to fully manage the resources in one Project.

Review the following ways that service roles interact with Project roles. The Tanzu Platform role is used as an example. The behavior applies to all service roles and how they interact with Projects.

  • A user with the Tanzu Platform Admin service role can perform all actions anywhere in Tanzu Platform.

  • A user with the service Tanzu Platform Viewer role can see everything in Tanzu Platform, but they can’t make any changes.

  • When resources are assigned to Projects, a user who has the Tanzu Platform Viewer role and the Tanzu Platform Viewer Project role can see only the resources in the Projects that they are members of.

  • If a user has the Tanzu Platform Viewer service role and the Tanzu Platform Admin Project role, they can see everything in Tanzu Platform. However, they can only make changes to the resources in their Projects. The Project admin role takes precedence over of the service viewer role for the Project.

  • If a user has the Tanzu Platform Admin service role and a Tanzu Platform Viewer Project role, they can make changes to the resources in that Project and to the resources in any Project. The service admin role takes precedence over Project viewer role.

Users can use the Project: selector in the header to switch between their Projects so that they only see resources assigned to the selected Project. If the user selects Projects: All they see all resources in their Projects.

The functionality available to you in Tanzu Platform is dependent upon your access permissions, the selected Project context, and the resources you have added into Tanzu Platform management. For example, some functionality is enabled only for administrators, and some functionality is enabled only when Project: All is selected.

  • When Project: All is selected, the functionality available is that which applies collectively to all of the projects in your organization.
  • When a specific Project is selected, the functionality available is that which applies an individual Project.
  • If you are associated with with a role that has permissions for an administrator, then you see the full set of functionality that is exposed for that role.
  • If you are associated with a role that has permissions for an app developer, then you will have access to the functionality that is exposed for that role.