Role Based Access Control (RBAC)

Border0 uses roles to grant specific administrative privileges to both Users and Service Accounts. All users must have one (and only one) of the following roles:

  • Admin: This role grants full privileges in the organization including user, group, and service account management as well as the ability to modify all configuration and settings.
  • Member: This role grants resource management privileges but not access management privileges. I.e. members can create/read/update/delete sockets, policies, and connectors, but they cannot create/update/delete users, groups, directory services, or identity providers, nor modify any organization-level configuration.
  • Read Only: This role has full read privileges over the organization. No write privileges.
  • Client Access Only: This role has no privileges over an organization. It is the role that should be assigned to users who will only be clients of sockets in the organization. Note that access to sockets is managed through Border0 policies. Adding a user with this role to the organization is not sufficient to grant the user access to a socket as a client. The user or service account must be referenced in Policies attached to the desired socket for them to have access to the socket.