Skip to content

Access Control

When creating a tenant you may have noticed mention of an 'owner group' with a UUID returned. This is the default group attached to the tenant where members all have 'owner' permission (described below) to that created tenant and all child sub-tenants. Initially only you will be a member of the group.

If you have at least 'viewer' access to an entity (tenant or environment) and try to do something that requires a higher privilege you will receive a 'HTTP 403 Forbidden' response. If you do not even have 'viewer' access to the entity (or it does not exist) you will receive a 'HTTP 404 Not Found'.

Groups are tied to a single tenant though they affect sub-tenants. You may create more groups by using:

klic group create TENANT-UUID NAME

You may add members with (using username-less realms only such as captures all users with an email in that realm):

klic group useradd GROUP-UUID


Recall that a group is tied to a tenant, so there is no need for the TENANT-UUID as it is explicit

Members are similarly removed using klic group userdel ...

Once you have created a group and managed its members, you can change the permissions of the group to describe what it's members are allowed to do:

klic permission update GROUP-UUID add ROLE SCOPE
See the next section for supported role and scope values.

You may also pin a permission to an explicit environment with:

klic permission update –environment ENVIRONMENT-UUID GROUP-UUID add ROLE SCOPE


Scope is ignored for environment pinning and always set to base

Role and Scope

There are three roles:

  • viewer: only allowed to read all settings and submit usage data
  • editor: allowed to enrol environments as well as create and renew licenses (in addition to viewer permissions)
  • owner: allowed to create sub-tenants, groups and assign roles and permissions (in addition to editor permissions)

There are four scopes:

  • base: only the listed tenant (no sub-tenant access)
  • sub: listed tenant and all sub-tenants
  • one: only sub-tenants of listed tenant but not sub-sub-tenants or deeper
  • subordinates: only sub-tenants of listed tenant but inclusive of all sub-sub-tenants or deeper