This topic describes the default roles of OceanBase Cloud Platform (OCP) and their permissions.
Default OCP roles are built-in roles and cannot be deleted or edited.
The following table describes all default OCP roles:
| Role | Description | Permission |
|---|---|---|
| ADMIN | The system administrator role in OCP. This role has the maximum permissions in OCP. | ** |
| ALARM_MANAGER | The management role for alerts in OCP. This role has management permissions to alerts and subscriptions and read-only permissions to the associated resources, including clusters, tenants, hosts, and users. | * ALARM:*:* * CLUSTER:*:READ * TENANT:*:READ * HOST:*:READ * USER:*:READ |
| ALARM_VIEWER | The read-only role for alerts in OCP. This role has read-only permissions on alerts, subscriptions, and the associated resources, such as clusters, tenants, hosts, and users. | * ALARM:*:READ * CLUSTER:*:READ * TENANT:*:READ * HOST:*:READ * USER:*:READ |
| AUDIT_VIEWER | This role has permissions to view the OCP audit history, all historical audit events, and the user names and user IDs of all operators. | AUDIT:*:READ |
| BACKUP_MANAGER | The management role for cluster backup and recovery. This role has permissions to manage the backup and recovery of all clusters and tenants managed by OCP, read-only permissions on hosts and alerts, and management permissions on tasks and software packages. If you want to add a host, you must have the host_manager role in addition. | * CLUSTER:*:BACKUP:*:* * CLUSTER:*:READ * CLUSTER:*:TENANT:*:READ * HOST:*:READ * ALARM:*:READ * TASK:*:* * PACKAGE:*:* |
| CLUSTER_MANAGER | The management role for clusters. This role has permissions to manage all OceanBase clusters and OBProxy clusters managed by OCP and the resources associated with these clusters, such as hosts, background tasks, alerts, and software packages, and read-only permissions on users, which are a type of resource indirectly associated with the clusters. | * CLUSTER:*:* * HOST:*:* * TASK:*:* * ALARM:*:* * USER:*:READ * PACKAGE:*:* * OBPROXY:*:* |
| CLUSTER_VIEWER | The read-only role for clusters. This role has read-only permissions on all OceanBase clusters and OBProxy clusters managed by OCP and the resources associated with these clusters, such as hosts, background tasks, alerts, and software packages. | * CLUSTER:*:READ * HOST:*:READ * TASK:*:READ * ALARM:*:READ * PACKAGE:*:READ * OBPROXY:*:READ |
| HOST_MANAGER | The OCP host management role has the permission to manage all hosts and the resources (software packages) associated with these hosts. | * HOST:*:* * PACKAGE:*:* |
| HOST_VIEWER | The OCP host read-only role has the permission to view all hosts and the resources (software packages) associated with these hosts. | * HOST:*:READ * PACKAGE:*:READ |
| INSPECTION_MANAGER | The inspection manager role has the permission to read and write inspection rules and scripts, and to execute inspection rules. | INSPECTION:*:* |
| OBPROXY_MANAGER | The management role for OBProxy. This role has the read-only permission for all OBProxy clusters and associated resources, and hosts, and the permission to manage software packages. | * OBPROXY:*:* * PACKAGE:*:* * CLUSTER:*:READ * HOST:*:READ |
| OBPROXY_VIEWER | The read-only role for OBProxy. This role has the read-only permission for all OBProxy clusters that OCP manages and the resources associated, such as clusters, hosts, and software packages. | * OBPROXY:*:READ * PACKAGE:*:READ * CLUSTER:*:READ * HOST:*:READ |
| PACKAGE_MANAGER | The role for management of software packages. | PACKAGE:*:* |
| PACKAGE_VIEWER | The role has read-only permission for software packages. | PACKAGE:*:READ |
| PROFILE | The personal profile role for OCP users. Removal of this basic user permission may result in read-only permission for all other modules. This role is used for logon and access to User Center. | PROFILE:*:* |
| PROPERTY_MANAGER | The management role for the parameters in the system configuration of OCP. | PROPERTY:*:* |
| ROLE_MANAGER | This role manages OCP roles. | ROLE:*:* |
| TASK_MANAGER | The management role for background tasks in OCP. | TASK:*:* |
| TENANT_MANAGER | The management role for tenants. This role has permissions to manage all the OceanBase tenants managed by OCP and read-only permissions on resources associated with the tenants, such as OceanBase clusters, hosts of OBProxy clusters, background tasks, and alerts. | * CLUSTER:*:TENANT:*:* * CLUSTER:*:READ * HOST:*:READ * TASK:*:READ * ALARM:*:READ * OBPROXY:*:READ |
| TENANT_VIEWER | The read-only role for tenants. This role has read-only permissions on all OceanBase tenants managed by OCP and the resources associated with the tenants, such as OceanBase clusters, OBProxy clusters, hosts, background tasks, and alerts. | * CLUSTER:*:TENANT:*:READ * CLUSTER:*:READ * HOST:*:READ * TASK:*:READ * ALARM:*:READ * OBPROXY:*:READ |
| USER_MANAGER | The role that manages OCP users. | USER:*:*, ROLE:*:READ |