Jump toUpdate content
Permission sets
Permissions sets and their scope make up IAM rules, which define the access rights that a principal (user, group or application) should have. They consist of sets of one or multiple permissions.
Permission set names contain descriptions that clearly explain their purpose. For example, a permission set that grants access to all actions you can perform on Instances is called: InstancesFullAccess
.
Below is a list of the permission sets available at Scaleway.
Scoped by Organization
Permission set | Description |
---|---|
ProjectManager | Full access to Project management. This means access to create, rename, list and delete projects. It does not include access to Project resources |
ProjectReadOnly | Read access to Project management. Does not include access to Project resources |
IAMReadOnly | Read access to IAM. This means list and read access to users, groups, applications, policies, and API keys |
IAMManager | Full access to IAM. This means access to all possible actions for users, groups, applications, policies and API keys) and all ProjectManager permissions |
BillingReadOnly | List and read access to billing information |
BillingManager | Full access to billing management. This means access to list, read and edit billing contact information, payment information, billing alerts and invoices |
OrganizationManager | Full access to Organization management. This means access to all possible actions for Projects, IAM, billing and support/abuse tickets. Does not include access to list and create resources. |
OrganizationReadOnly | Read access to the Organization’s general information (e.g. Organization ID and quotas) |
SupportTicketManager | Full access to support tickets. This means access to create, read and update support tickets in the Organization |
SupportTicketReadOnly | List and read access to support tickets |
AbuseTicketManager | Full access to abuse tickets. This means access to create, read and update abuse tickets in the Organization |
Important:
Any user or application benefitting from the IAMManager
and/or OrganizationManager
permission sets is able to create policies giving themselves access to any other actions and resources within the Organization.
Scoped by Project
Permission set | Description |
---|---|
AllProductsFullAccess | Full access to create, read, list, edit and delete all resources (products) |
AllProductsReadOnly | Read access to list and read info for all resources (products) |
SSHKeysReadOnly | Read access to SSH keys |
SSHKeysFullAccess | Full access to SSH keys |
AppleSiliconReadOnly | List and read access to Apple Silicon |
AppleSiliconFullAccess | Full access to create, read, list, edit and delete Apple Silicon. |
ElasticMetalReadOnly | List and read access to Elastic Metal |
ElasticMetalFullAccess | Full access to create, read, list, edit and delete Elastic Metal |
InstancesFullAccess | Full access to create, read, list, edit and delete Instances |
InstancesReadOnly | List and read access to Instances |
KubernetesReadOnly | List and read access to Kubernetes |
KubernetesFullAccess | Full access to create, read, list, edit and delete Kubernetes |
KubernetesExternalNodeRegister | Attach external nodes to a Kosmos cluster |
DediboxReadOnly | List and read access to Dedibox |
DediboxFullAccess | Full access to create, read, list, edit and delete Dedibox |
ContainersReadOnly | List and read access to Containers |
ContainersFullAccess | Full access to create, read, list, edit and delete to Containers |
FunctionsReadOnly | List and read access to Functions |
FunctionsFullAccess | Full access to create, read, list, edit and delete Functions |
MessagingAndQueuingReadOnly | List and read access to Messaging |
MessagingAndQueuingFullAccess | Full access to create, read, list, edit and delete Messaging |
RelationalDatabasesReadOnly | List and read access to Managed Database for PostgreSQL and MySQL |
RelationalDatabasesFullAccess | Full access to create, read, list, edit and delete Managed Database for PostgreSQL and MySQL |
ObjectStorageReadOnly | List and read access to Object Storage |
ObjectStorageFullAccess | Full access to create, read, list, edit and delete Object Storage |
ObjectStorageObjectsRead | Read access to objects, tags, metadata and storage class |
ObjectStorageBucketsRead | Read access to buckets and bucket configuration including lifecycle rules |
ObjectStorageObjectsWrite | Access to create and edit objects, tags, metadata and storage class |
ObjectStorageObjectsDelete | Access to delete objects |
ObjectStorageBucketsWrite | Access to create and edit buckets, bucket configuration including lifecycle rules |
ObjectStorageBucketsDelete | Access to delete buckets |
RedisReadOnly | List and read access to Managed Database for Redisâ„¢ |
RedisFullAccess | Full access to create, read, list, edit and delete Managed Database for Redisâ„¢ |
PrivateNetworksFullAccess | Full access to create, read, list, edit and delete Private Networks |
VPCGatewayReadOnly | List and read access to Public Gateways |
VPCGatewayFullAccess | Full access to create, read, list, edit and delete Public Gateways |
LoadBalancersReadOnly | List and read access to Load Balancer |
LoadBalancersFullAccess | Full access to create, read, list, edit and delete Load Balancer |
DomainsDNSReadOnly | List and read access to Domains and DNS |
DomainsDNSFullAccess | Full access to create, read, list, edit and delete Domains and DNS |
ContainerRegistryReadOnly | List and read access to Container Registry |
ContainerRegistryFullAccess | Full access to create, read, list, edit and delete Container Registry |
IoTReadOnly | List and read access to IoT Hub |
IoTFullAccess | Full access to create, read, list, edit and delete IoT Hub |
ObservabilityReadOnly | List and read access to Observability |
ObservabilityFullAccess | Full access to create, read, list, edit and delete Observability |
TransactionalEmailReadOnly | List and read access to Transactional Email |
TransactionalEmailFullAccess | Full access to create, read, list, edit and delete Transactional Email |
TransactionalEmailDomainReadOnly | Read access to domains in Transactional Email. Does not include permissions for e-mails |
TransactionalEmailDomainFullAccess | Full access to domains in Transactional Email. Does not include permissions for e-mails |
TransactionalEmailEmailReadOnly | Read access to e-mails in Transactional Email. Does not include permissions for domain configuration |
TransactionalEmailEmailFullAccess | Full access to e-mails in Transactional Email. Does not include permissions for domain configuration |
WebHostingReadOnly | List and read access to Web Hosting |
WebHostingFullAccess | Full access to create, read, list, edit and delete Web Hosting |
SecretManagerReadOnly | List and read secrets’ metadata (name, tags, creation date, etc.). Does not include permissions for data (versions) accessing or editing |
SecretManagerFullAccess | Full access to create, read, list, edit and delete secrets in Secret Manager |
SecretManagerSecretAccess | Full access to secrets’ metadata and data (versions) in Secret Manager. Does not include permissions for data editing |
BlockStorageReadOnly | List and read access to Block Storage |
BlockStorageFullAccess | Full access to create, read, list, edit and delete in Block Storage |
See Also