This page describes the different types of permissions and access rights Upbound Enterprise customers can setup in Upbound Cloud. Permissions apply to control planes and repositories.

Upbound users with an Upbound account who aren't a member of an organization won't ever need to set permissions. Their control planes are only accessible by them, and their repositories can be either public or only accessible by them. However, for Upbound Enterprise customers, control planes and repositories permissions can be set on a per-team basis.

Permission Types

To create your first permission, navigate to a team and select the Permissions tab. You'll be presented the choice of creating a permission for one of your control planes connected or hosted by Upbound Cloud, or a repository permission.

  • Control Planes: Permissions on control planes grant users CRUD rights to them. For information on how Upbound Cloud uses these permissions and impersonates actions, see our security documentation.
  • Repositories: Repositories in Upbound Cloud are what power Upbound Registry listings. To list something, publicly or privately, in Upbound Registry, users need to create a Repository and push a package to it first.

Who can set permissions?

Users who've created an organization can set permissions for anyone on their team.

  • Organization owners: Users who have created an organization can set permissions for anyone on their team on any control plane or repository.
  • Team owners: Team owners are members of the team whose role is Owner. While team owners can change team membership, they are still fundamentally members of the team. They don't get any special access to control planes or repositories outside of what's been granted to the team.

What do permissions give me?

Control planes have three different permission types: Owner, Editor, and Viewer. View the security documentation to learn more about the RBAC roles Upbound Cloud creates based on these permissions levels.

Repositories have Admin, Write, and Read permissions. Each grants teams different capabilities in Upbound Cloud.

  • Control Planes
    • Owner: Owners can delete or disconnect the control plane, change it's name, and edit it's description.
    • Editor: Editors can change control plane name and description.
    • Viewer: Viewers can see control plane resources and consume them.
  • Repositories
    • Admin: Repository admins can push to, rename, and delete packages in a repository. Admins can also delete or rename the repository as well as set it to public or private.
    • Write: Teams with write permissions can push packages to their repository. These packages will update the Registry listing generated from the repository.
    • Read: Users in teams with Read permission can consume the packages in the repository. They will be able to view the private listing generated from the repository when browsing Upbound Registry, if the repository is set as private.