ZITADEL Docs
Configure Identity & PoliciesRoles & Permissions

ZITADEL Managers

Managers are human users or service users who have permission to manage resources within ZITADEL.

Manager permissions can be assigned to different levels in ZITADEL:

  • IAM Managers: This is the highest level. Users with IAM Administrator roles are able to manage the whole Instance.
  • Org Managers: Managers in the Organization Level are able to view or manage everything, according to their permissions, within the granted Organization.
  • Project Mangers: In this level the user is able to manage a project.
  • Project Grant Manager: The project grant manager is for granted projects by another organization.

The scope of the managers is restricted based on their level. Which means that a Manager, assigned to one organization, will have access only to the resources and configurations of that organization. Only the Managers on the instance level can view resources, such as users, across all organizations.

To configure managers in ZITADEL go to the resource where you like to add it (e.g Instance, Organization, Project, GrantedProject). In the right part of the management console you can find MANAGERS in the details part. Here you have a list of the current managers and can add a new one.

Managers

When adding a new manager, you can select multiple roles some of which are only allowed to read data. This can be especially useful if you add service users for one of your projects where you only need read access.

Per default you will only search for users within the selected organization. If you like to give a role to a user outside the organization you need to switch to the global search and type the exact loginname of the users. This will prevent users from guessing users from other organizations.

Managers

Roles

NameRoleDescription
IAM OwnerIAM_OWNERManage the IAM, manage all organizations with their content
IAM Owner ViewerIAM_OWNER_VIEWERView the IAM and view all organizations with their content
IAM Org ManagerIAM_ORG_MANAGERManage all organizations including their policies, projects and users
IAM User ManagerIAM_USER_MANAGERManage all users and their authorizations over all organizations
IAM Admin ImpersonatorIAM_ADMIN_IMPERSONATORAllow impersonation of admin and end users from all organizations
IAM ImpersonatorIAM_END_USER_IMPERSONATORAllow impersonation of end users from all organizations
IAM Login ClientIAM_LOGIN_CLIENTGet all permissions needed to implement your own Login UI.
Org OwnerORG_OWNERManage everything within an organization
Org Owner ViewerORG_OWNER_VIEWERView everything within an organization
Org User ManagerORG_USER_MANAGERManage users and their authorizations within an organization
Org User Permission EditorORG_USER_PERMISSION_EDITORManage user grants and view everything needed for this
Org Project Permission EditorORG_PROJECT_PERMISSION_EDITORGrant Projects to other organizations and view everything needed for this
Org Project CreatorORG_PROJECT_CREATORThis role is used for users in the global organization. They are allowed to create projects and manage them.
Org Admin ImpersonatorORG_ADMIN_IMPERSONATORAllow impersonation of admin and end users from the organization
Org ImpersonatorORG_END_USER_IMPERSONATORAllow impersonation of end users from the organization
Project OwnerPROJECT_OWNERManage everything within a project. This includes to grant users for the project.
Project Owner ViewerPROJECT_OWNER_VIEWERView everything within a project.
Project Owner GlobalPROJECT_OWNER_GLOBALSame as PROJECT_OWNER, but in the global organization.
Project Owner Viewer GlobalPROJECT_OWNER_VIEWER_GLOBALSame as PROJECT_OWNER_VIEWER, but in the global organization.
Project Grant OwnerPROJECT_GRANT_OWNERSame as PROJECT_OWNER but for a granted project.

Configure roles

If you run a self hosted ZITADEL instance you can define your custom roles by overwriting the defaults.yaml In the InternalAuthZ section you will find all the roles and which permissions they have.

Example:

InternalAuthZ:
  RolePermissionMappings:
    - Role: "IAM_OWNER"
      Permissions:
        - "iam.read"
        - "iam.write"

Manager Permission Matrix

This table is generated dynamically from our configuration file.

PermissionIAM ADMIN IMPERSONATORIAM END USER IMPERSONATORIAM LOGIN CLIENTIAM ORG MANAGERIAM OWNERIAM OWNER VIEWERIAM USER MANAGERORG ADMIN IMPERSONATORORG END USER IMPERSONATORORG OWNERORG OWNER VIEWERORG PROJECT CREATORORG PROJECT PERMISSION EDITORORG SETTINGS MANAGERORG USER MANAGERORG USER PERMISSION EDITORORG USER SELF MANAGERPROJECT GRANT OWNERPROJECT GRANT OWNER VIEWERPROJECT OWNERPROJECT OWNER GLOBALPROJECT OWNER VIEWERPROJECT OWNER VIEWER GLOBALSELF MANAGEMENT GLOBALSYSTEM OWNERSYSTEM OWNER VIEWER
action.execution.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
action.execution.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
action.target.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
action.target.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
action.target.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
admin.impersonationNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
events.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.createNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.user.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.user.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.user.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
group.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.action.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.action.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.action.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.debug.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.debug.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.feature.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.feature.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.feature.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.flow.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.flow.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.flow.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.idp.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.idp.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.idp.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.member.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.member.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.member.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.policy.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.policy.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.policy.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.restrictions.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.restrictions.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.web_key.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.web_key.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.web_key.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
iam.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
impersonationNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
milestones.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.action.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.action.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.action.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.createNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.feature.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.feature.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.feature.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.flow.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.flow.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.flow.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.global.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.idp.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.idp.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.idp.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.member.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.member.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.member.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
org.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
policy.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
policy.readNoNoNoNoNoNoNo
policy.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.app.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.app.readNoNoNoNoNoNoNoNoNoNoNoNoNo
project.app.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.createNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.member.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.member.readNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.member.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.readNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.user.grant.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.grant.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.member.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.member.readNoNoNoNoNoNoNoNoNoNoNoNoNo
project.member.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.readNoNoNoNoNoNoNoNoNoNo
project.read:selfNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.role.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.role.readNoNoNoNoNoNoNoNoNoNoNoNo
project.role.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
project.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
session.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
session.linkNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
session.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
session.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.debug.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.debug.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.debug.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.domain.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.domain.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.domain.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.feature.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.feature.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.feature.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.iam.member.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.instance.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.instance.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.instance.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.limits.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.limits.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.quota.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
system.quota.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.credential.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.feature.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.feature.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.feature.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.global.readNoNoNoNoNoNoNoNoNoNo
user.grant.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.grant.readNoNoNoNoNoNoNoNoNoNo
user.grant.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.membership.readNoNoNoNoNoNoNoNoNoNoNoNo
user.passkey.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.readNoNoNoNoNoNoNoNoNoNoNoNo
user.self.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
user.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
userschema.deleteNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
userschema.readNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo
userschema.writeNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNoNo

Was this page helpful?

Granted Projects

Previous Page

Audit Trail

Next Page

On this page

RolesConfigure rolesManager Permission Matrix