Permissions

Permissions specify user access to data planes, capabilities, and applications. You can assign one or more permissions to individual users, teams, or IdP Groups based on your business needs.

Note: If you directly or indirectly update a user's permission and the user is logged in, the user must reload the page for the changes to take complete effect in the UI.

Control Plane Permissions

Permission	Description
Owner	Owner with this permission can: Add users and assign permissions to other users including other owners. Assign "Team Admin" permission. Assign "IdP Manager" permission to the user who can configure Single Sign-on. Enable or disable Default IdP Sign in for any user. View the registered data plane on the Data Planes page in read-only mode. Assign permissions to self. View the Home page with all data and access to the data plane monitoring widget. Add, edit, delete Global Observability resource configuration.
Team Admin	Team admin with this permission can: Add, edit, and remove other users except owners or IdP managers. Assign and update permissions to other users except owners or IdP managers. View permissions assigned to users. Enable or disable Default IdP Sign in for any user (including himself) except IdP Manager or Owner. View the Home page with all data and access to the data plane monitoring widget. View Data Planes page in read-only mode. Add, edit, delete Global Observability resource configuration.
View permissions	Users with this permission can view details of assigned permissions to other users by navigating to the User Management > Permissions tab.
IdP Manager	User with this permission can configure Single Sign-on for the enterprise from the User Management > Configure SSO page.
Data plane Manager	Users with this permission can: Register, manage, or de-register data planes. Create, manage, and delete namespaces on a data plane. View bare-metal applications and related details like machines, metrics, and so on. View Global Observability resource configuration but cannot edit it. View the Home page with all data and access to the data plane monitoring widget. Note: You must have Application Manager or Application Viewer permission to view applications for cloud under Assets on the Home page.

Data Plane and Capability Permissions

Note: The following permissions get applied to data planes or capabilities that you selected when assigning permission. To assign permission to the user for all current and data planes which will be registered in future, select All current and future Data Planes checkbox.

Permission	Description
Capability Manager	Users with this permission can: Provision, de-provision capabilities. Users have read-only access to all data planes. List namespaces on a data plane. View the Home page with all data and access to click widgets on the Home page for details. Note: You must have Application Manager or Application Viewer permission to view applications for cloud and only view applications permission for bare-metal applications in the Assets list on the Home page.
Application Manager	Users with this permission can: Users can view, deploy, undeploy, and delete applications of the capabilities. Add, delete, edit tags for applications, data planes, and capabilities. Can be scoped to a specific namespace within a data plane. When namespace-scoped, users can only view, deploy, undeploy, and delete applications within the assigned namespace(s). Also can list namespaces on a data plane. View Home page with all data with access to click widgets on Home page for details. Note: In the Cloud Assets list on the Home page, users can only view applications from the data plane or Capability to which the user has access.
Application Viewer	Users with this permission can: Users have read-only access to all the applications of the capability. Can be scoped to a specific namespace within a data plane. When namespace-scoped, users have read-only access to applications within the assigned namespace(s) only. Also can list namespaces on a data plane. View the Home page with all data. Users cannot click any widget for details. Note: In the Cloud Assets list on the Home page, user can only view applications from the data plane or Capability to which the user has access.

Permission

Description

Capability Manager

Users with this permission can:

Provision, de-provision capabilities.
Users have read-only access to all data planes.
List namespaces on a data plane.
View the Home page with all data and access to click widgets on the Home page for details.

Note: You must have Application Manager or Application Viewer permission to view applications for cloud and only view applications permission for bare-metal applications in the Assets list on the Home page.

Application Manager

Users with this permission can:

Users can view, deploy, undeploy, and delete applications of the capabilities.
Add, delete, edit tags for applications, data planes, and capabilities.
Can be scoped to a specific namespace within a data plane. When namespace-scoped, users can only view, deploy, undeploy, and delete applications within the assigned namespace(s). Also can list namespaces on a data plane.

View Home page with all data with access to click widgets on Home page for details.

Note: In the Cloud Assets list on the Home page, users can only view applications from the data plane or Capability to which the user has access.

Application Viewer

Users with this permission can:

Users have read-only access to all the applications of the capability.
Can be scoped to a specific namespace within a data plane. When namespace-scoped, users have read-only access to applications within the assigned namespace(s) only. Also can list namespaces on a data plane.
View the Home page with all data. Users cannot click any widget for details.

Note: In the Cloud Assets list on the Home page, user can only view applications from the data plane or Capability to which the user has access.

Product Permissions

Users can be granted either READ (view-only) or WRITE (full management) access to specific domains in Control Tower data plane, ensuring that they can only interact with resources according to the permissions assigned. For more information, see Role-Based Access Control (RBAC) for Domains in Control Tower.

Namespace Level Permissions

Application Manager and Application Viewer permissions can optionally be scoped to a specific namespace within a Kubernetes data plane. This enables multi-team environments where each team manages applications only in their assigned namespaces. You can select the one of following checkboxes also to apply changes for multiple namespaces.

All current and future capabilities and namespaces: Selects all capabilities AND all namespaces for this data plane.
Apply selected namespace permission to all current and future capabilities: Applies the currently selected namespaces across all capabilities at once.
All current and future namespaces: This grants access across all current and future namespaces for that capability and the data plan.

Namespace Permission Scoping Combinations

Scope	Capability	Namespace	Access
Data Plane level	All	All	All applications in all namespaces
Capability-scoped	Specific (for example, BW)	All	All applications for that capability across all namespaces
Namespace-scoped	All	Specific (for example, ns-team-a)	All applications in that namespace regardless of capability
Capability + Namespace	Specific (for example, BW)	Specific (for example, ns-team-a)	Only applications for that capability in that namespace

Note: Data plane Manager retains access to all namespaces. No additional namespace-level assignment is needed for existing users.

Note: Namespace-level permissions apply only to Kubernetes data planes, not Control Tower data planes.

TIBCO Developer Hub does not require namespace-level permissions. It only shows "Grant Application Manager/Viewer permission" without a namespace picker. Only capabilities that deploy applications into Kubernetes namespaces (BW5, BW6, Flogo) display the namespace picker.

For more information, see Managing Namespaces.

Did you find this helpful?

Yes No