#Manage Roles

#View Platform Roles (Read-Only)

Platform roles remain the canonical templates for core functionality.

1. In the left navigation bar, click Users > Platform Roles.
2. Use the list filters to locate a role. The Role Type column now shows Platform, Project, Namespace, or Cluster.
3. Click the role name to open the detail page.
4. Switch to the YAML tab to inspect the exact definition. Use Download YAML if you need to archive the spec.

#Grant a Platform Role to Users via Console

1. In the left navigation bar, click Users > Platform Roles.
2. Click the role name to open the detail page.
3. Switch to the Members tab.
4. Click Import Members.
5. You can select users from the platform and import them to the role as members.

#Grant a Platform Role to Users via YAML

You can submit the following YAML in the global cluster to grant a specific platform role to a user.

apiVersion: auth.alauda.io/v1 kind: UserBinding metadata: annotations: auth.cpaas.io/role.display-name: Platform Admin # Display name of the role to be assigned auth.cpaas.io/user.email: bxliu@alauda.io # Username of the user to grant the role to labels: auth.cpaas.io/role.display-name: "" # Display name of the role to be assigned auth.cpaas.io/role.level: platform # Scope of the role: platform, project, namespace, or cluster auth.cpaas.io/role.name: acp-platform-admin # Name of the role to be assigned auth.cpaas.io/user.email: 569526aac97a17ce8c1c185d7544aae4 # MD5 hash of the Username cpaas.io/cluster: "" # Name of the cluster; required when role level is namespace or cluster, leave empty for platform or project cpaas.io/namespace: "" # Name of the namespace; required when role level is namespace, leave empty for platform, project, or cluster cpaas.io/project: "" # Name of the project; required when role level is project or namespace, leave empty for platform or cluster name: dc30204c17c7fe8b15383f4ed7798c88 # Name of the UserBinding resource; can be customized

#View and Update a Kubernetes Role via YAML

1. Navigate to Users > Platform Roles > Kubernetes Roles.
2. Search by name or label.
3. Click the role name, then open the YAML tab.
4. Click Edit, modify the manifest (labels, annotations, or rules), and click Save.
5. Review the RoleBindings tab to ensure existing bindings still meet your expectations.

#Delete a Kubernetes Role

1. On the Kubernetes Roles list, click the overflow menu (…) next to the role.
2. Select Delete Role.
3. Confirm the role name to proceed.

Deleting a role removes it from the cluster. You must also clean up any RoleBindings that referenced the role. The UI will show a warning if bindings are still present.

#Manage RoleBindings

#From the Role Perspective

1. Open a role (Role or ClusterRole) from the Kubernetes Roles tab.
2. Go to the RoleBindings tab.
3. Use the search bar (supports name and label filters) to locate existing bindings.
4. Actions:
   • Create RoleBindings: Launches the creation wizard.
   • Update Role: Opens the YAML editor for the role itself.
   • Delete Binding: Removes the RoleBinding/ClusterRoleBinding after confirmation.

#From Users or User Groups

1. Open Users (or User Groups) and select the desired entry.
2. Switch to the Kubernetes Roles tab.
3. Review all RoleBindings associated with the user/group across clusters.
4. Click Add RoleBinding, choose:
   • Cluster
   • Binding type (RoleBinding/ClusterRoleBinding)
   • Role/ClusterRole
   • Namespace (for RoleBinding)
   • Subject details
5. Save the binding.

This workflow complements the existing Platform Roles tab, which is still used to attach system roles to users.

#Best Practices

• Use staging clusters to validate YAML changes before applying them to production.
• Keep role definitions under version control (for example, export them into Git) so that changes remain auditable.
• When in doubt about required permissions, start from a system role`s YAML, copy it locally, and adapt it as a Kubernetes role through the new UI.