Role-Based Access Control (RBAC) for Domains in Control Tower
Overview
Control Tower supports Role-Based Access Control (RBAC) at the domain level within the Dataplane. A Dataplane can contain multiple domains, and user permissions can be assigned per domain to control access and actions.
RBAC ensures that users can either view or manage domain resources based on the roles assigned to them.
Domain-Level Roles
For each domain, a user can be assigned one of the following roles:
| Role | Description |
|---|---|
| READ | Grants view-only access to the domain |
| WRITE | Grants full management access to the domain |
Permission Assignment Model
Per-Domain Permissions
-
Permissions are assigned per domain under the User Management section.
-
A user may have different roles across different domains.
Wildcard Permission (Current and Future Domains)
In addition to per-domain assignments, Control Tower provides a wildcard permission:
“Current and Future Domains” (check box)
-
The chosen role (READ or WRITE) applies to all existing domains
-
The same role is automatically applied to any domains created in the future
When selected:
This eliminates the need to manually update permissions whenever a new domain is added.
Effective Permission Evaluation
When permissions are evaluated:
-
Explicit per-domain permissions take precedence
-
If no explicit permission exists for a domain, the wildcard permission (if configured) is applied
-
If neither exists, the user has no access to that domain
Domain Capabilities by Role
READ Permission
Users with READ access can:
-
View domain details
-
View applications and configurations
-
View deployment and configuration status
Users with READ access cannot:
-
Create domains
-
Deploy applications
-
Configure or update applications
-
Perform any write or mutating operations
All write-related actions are disabled in the UI.
WRITE Permission
Users with WRITE access can:
-
Create and manage domains
-
Deploy applications
-
Configure and update applications
-
Perform all domain-related operations
WRITE includes all READ capabilities.
UI Behavior
| Action | READ | WRITE |
|---|---|---|
| View domain details |
|
|
| Create an application |
|
|
| Deploy application |
|
|
| Configure application |
|
|
| Modify service instance settings |
|
|
-
Disabled actions are visibly unavailable in the UI for READ users
-
Attempted API calls for unauthorized actions are rejected by backend authorization checks