Skip to main content

Managers

ZITADEL Managers are Users who have permission to manage ZITADEL itself. This means that those users are allowed to login into your instance console and edit certain parts of the configuration. There are some different levels for managers.

  • IAM Managers: This is the highest level. Users with IAM Manager roles are able to manage the whole Instance.
  • Org Managers: Managers in the Organization Level are able to manage everything within the granted Organization.
  • Project Mangers: In this level the user is able to manage a project.
  • Project Grant Manager: The project grant manager is for projects, which are granted of another organization.

To configure managers in ZITADEL go to the resource where you like to add it (e.g Instance, Organization, Project, GrantedProject). In the right part of the console you can finde MANAGERS in the details part. Here you have a list of the current managers and can add a new one.

Managers

When adding a new manager, you can select multiple roles some of which are only allowed to read data. This can be especially useful if you add service users for one of your projects where you only need read access.

Per default you will only search for users within the selected organization. If you like to give a role to a user outside the organization you need to switch to the global search and type the exact loginname of the users. This will prevent allowing users to guess users from other organizations.

Managers

Roles

NameRoleDescription
IAM OwnerIAM_OWNERManage the IAM, manage all organizations with their content
IAM Owner ViewerIAM_OWNER_VIEWERView the IAM and view all organizations with their content
IAM Org ManagerIAM_ORG_MANAGERManage all organizations including their policies, projects and users
IAM User ManagerIAM_USER_MANAGERManage all users and their authorizations over all organizations
Org OwnerORG_OWNERManage everything within an organization
Org Owner ViewerORG_OWNER_VIEWERView everything within an organization
Org User ManagerORG_USER_MANAGERManage users and their authorizations within an organization
Org User Permission EditorORG_USER_PERMISSION_EDITORManage user grants and view everything needed for this
Org Project Permission EditorORG_PROJECT_PERMISSION_EDITORGrant Projects to other organizations and view everything needed for this
Org Project CreatorORG_PROJECT_CREATORThis role is used for users in the global organization. They are allowed to create projects and manage them.
Project OwnerPROJECT_OWNERManage everything within a project. This includes to grant users for the project.
Project Owner ViewerPROJECT_OWNER_VIEWERView everything within a project.
Project Owner GlobalPROJECT_OWNER_GLOBALSame as PROJECT_OWNER, but in the global organization.
Project Owner Viewer GlobalPROJECT_OWNER_VIEWER_GLOBALSame as PROJECT_OWNER_VIEWER, but in the global organization.
Project Grant OwnerPROJECT_GRANT_OWNERSame as PROJECT_OWNER but for a granted proejct.

Configure roles

If you run a self hosted ZITADEL istance you can define your custom roles by overwriting the defaults.yaml In the InternalAuthZ section you will find all the roles and which permissions the have.

Example:

InternalAuthZ:
RolePermissionMappings:
- Role: "IAM_OWNER"
Permissions:
- "iam.read"
- "iam.write"