There are 3 levels of roles that can be bound to users or teams.
Organization roles typically allow for access across the entire organization.
Organization Admin - enables global write access, by default the organization owner always has the Organization Admin role.
Organization Read - enables the subject to view everything in the organization, but not edit, create, or delete.
Organization User Read - enables the subject to read all of the other users in the organization.
Infrastructure Admin - enables the subject to create edit and delete infrastructure resources including: providers, registries, and clusters.
Infrastructure Read - enables the subject to view all infrastructure resources.
Permissions Admin - enables the subject to grant permissions to other users and teams. This can also be constrained to a cluster.
Permissions Read - enables the subject to read permissions of users and teams. This can also be constrained to a cluster
Cluster roles typically allow for access to a specific or all clusters.
Cluster Admin - enables the user to create clusters (requires infrastructure-read) ssh access, and full CRUD on all cluster resources
Cluster Write - enables the subject to perform all actions that do not directly modify creating / deleting VMs.
Cluster SSH - enables the subject to SSH into the cluster and perform system level operations.
Cluster Read - enables the subject to read details and events of the cluster.
Kubernetes roles typically are bound to a specific cluster or namespace.
Kubernetes Read - enables the subject to read Kubernetes resources except secrets on a cluster.
Kubernetes Secret Read - enables the subject to read Kubernetes resources on a cluster.
Additional Role Details
Visit the details page for the role to see each rule it contains. To access the Role details page, simply click on the role name within the permissions table. Permissions tables can be found on Cluster, Organization, User, or Team pages.