Skip to main content

k0rdent Platform — RBAC & Permissions

Atlas Roles (Provider Console — Platform-Scoped)

Atlas operates in a single platform organization context. No customer org isolation needed.
RoleDescriptionCapabilities
super_adminFull platform controlAll operations, system config
provider_adminOrganization managementCreate/manage customer orgs, impersonate users, modify settings
provider_operatorInfrastructure operationsProvision servers, manage resource
provider_revenueBusiness & revenue operationsView all data, analytics, billing, pricing, audit logs (read-only infra)
supportCustomer supportRead-only access

Atlas Permission Matrix

Permissionsuper_adminprovider_adminprovider_operatorprovider_revenuesupport
system:*
tenants:*
servers:*
servers:read
clusters:*
clusters:read
projects:*
projects:read
analytics:read
analytics:export
billing:*
pricing:write
audit:read
users:read

Arc Roles (Customer Portal — Multi-Tenant)

Arc uses BetterAuth’s organization plugin for multi-tenancy. Roles exist at two levels: organization and project.

Organization Roles

RoleScopeDescription
ownerAll projectsFull org control, destructive actions, ownership transfer
adminAll projectsOrg settings, billing, member management, all project access
memberAssigned projectsAccess visibility: 'org' projects as implicit viewer, own usage

Owner vs Admin Boundary

Admins can build up, only owners can tear down. This prevents a rogue admin from nuking the org or locking out the account holder.
ActionOwnerAdminMember
Delete organization
Transfer ownership
Downgrade/cancel billing plan
Remove other admins
Invite/promote to admin
Manage billing methods & invoices
View org-wide usage
View own project usage
All other org settings
Create projects
Access all projects
Access assigned projects

Project Roles

RoleCapabilities
adminFull project control, manage project members, change visibility
memberDeploy, manage resources within project
viewerRead-only access to project resources

Project Visibility

ValueBehavior
'org' (default)All org members have implicit viewer access
'members_only'Only explicit project members + org owner/admin can access

Access Control Matrix

Org RoleProject VisibilityProject RoleAccess Level
owneranyany✅ Full access
adminanyany✅ Full access
memberorgnone✅ Implicit viewer
membermembers_onlynone❌ No access
membermembers_onlyviewer✅ Read-only
membermembers_onlymember✅ Member
membermembers_onlyadmin✅ Project admin

Permissions Schema

Arc Organization Permissions

const arcOrgRolePermissions = {
  owner: [
    'org:*',              // All org operations
    'org:delete',         // Delete organization
    'org:transfer',       // Transfer ownership
    'org:billing',        // Manage billing methods, invoices, plan
    'org:billing:usage:all', // View org-wide usage
    'org:members:admin',  // Invite/remove admins
    'projects:*',         // All project operations
    'clusters:*',         // All cluster operations
  ],
  admin: [
    'org:admin',          // Org settings
    'org:write',          // Modify org properties
    'org:billing',        // Manage billing methods, invoices
    'org:billing:usage:all', // View org-wide usage
    'org:members:admin',  // Invite/promote members
    'projects:*',         // All project operations
    'clusters:*',         // All cluster operations
  ],
  member: [
    'org:read',           // View org info
    'org:billing:usage:own', // View own project usage
    'projects:read',      // View org-visible projects
    'clusters:read',      // View clusters in accessible projects
  ],
};

Arc Project Permissions

const arcProjectRolePermissions = {
  admin: [
    'projects:admin',     // Full project control
    'projects:members',   // Manage project members
    'projects:settings',  // Change visibility, settings
    'clusters:*',         // All cluster operations in project
  ],
  member: [
    'clusters:read',      // View clusters
    'clusters:write',     // Deploy, manage resources
    'clusters:kubeconfig', // Access kubeconfig
  ],
  viewer: [
    'projects:read',      // View project info
    'clusters:read',      // View clusters (read-only)
  ],
};

Billing Permission Breakdown

PermissionDescriptionOwnerAdminMember
org:billingManage payment methods, invoices, plan changes
org:billing:usage:allView usage across all projects in org
org:billing:usage:ownView usage for projects user belongs to

First User & Default Behavior

EventResult
User creates organizationUser gets owner role
Org creationAuto-creates a “default” project
Owner on default projectAuto-assigned as project admin
New project createdvisibility: 'org' by default (can set members_only on creation)
Project creatorAuto-assigned as project admin

Schema Representation

// Organization membership (BetterAuth organization plugin)
organization_members {
  user_id       // FK → auth.users
  organization_id // FK → auth.organizations
  role          // 'owner' | 'admin' | 'member'
}

// Projects
projects {
  id
  organization_id // FK → auth.organizations
  name
  slug
  visibility    // 'org' | 'members_only' — default 'org'
  created_by    // FK → auth.users
  ...
}

// Project membership
project_members {
  user_id       // FK → auth.users
  project_id    // FK → projects
  role          // 'admin' | 'member' | 'viewer'
}

Permission Checking Logic

// Resolve effective access for a user on a project
function getProjectAccess(
  orgRole: 'owner' | 'admin' | 'member',
  projectVisibility: 'org' | 'members_only',
  projectRole?: 'admin' | 'member' | 'viewer' | null,
): 'admin' | 'member' | 'viewer' | 'none' {
  // Owner/admin get full access to everything
  if (orgRole === 'owner' || orgRole === 'admin') return 'admin';

  // Explicit project role always takes precedence
  if (projectRole) return projectRole;

  // Org members get implicit viewer on org-visible projects
  if (orgRole === 'member' && projectVisibility === 'org') return 'viewer';

  return 'none';
}