Skip to main content
Version: 2.3

User Access Privileges

There are two concepts of roles within Wayfinder, those which permit access to Wayfinder itself (Wayfinder roles and Wayfinder role bindings) and those which permit access to clusters managed by Wayfinder (cluster roles, cluster role bindings, and cluster access policies). These both use a common set of workspace groups in Wayfinder. This topic outlines access to Wayfinder itself.

Also see the following related information:


User access to Wayfinder itself can operate at two levels: platform-wide access which provides access to the management of the configuration that operates outside of any workspace (i.e. Network Plans, Cloud Access Configurations, Cluster Plans, etc.) and workspace-level access which provides access to the management of resources within a specific workspace (i.e. assigning users to a workspace and giving them the privileges to deploy their applications).

The diagram below illustrates access to Wayfinder itself (left hand side of the diagram) and access to the clusters that Wayfinder manages (RBAC) (right hand side of the diagram).

User Privileges and RBAC

Left hand side of the diagram:

  • Wayfinder manages Wayfinder Roles and Wayfinder Role Bindings internally, therefore, as a Wayfinder administrator you only have to add users to the respective Wayfinder Groups and Workspace Groups.

  • Wayfinder Roles are divided into roles that permit platform-wide access and those that permit access to a specific workspace. Both use the wf get wayfinderroles CLI command. The workspace-level roles start with workspace.

  • Wayfinder Role Bindings are divided into role bindings that:

    • Bind Wayfinder Roles (platform-level) to Wayfinder Groups (platform-level). Users in Wayfinder Groups that have workspace roles assigned to them, will have access across all workspaces and will be able to perform actions in each workspace that the role permits.
    • Bind Wayfinder Roles (workspace-level) to Workspace groups. Users in workspace-level groups will only have access to the workspaces that they are added to. Also see the FAQ section on what happens when users belong to multiple workspaces.

Right hand side of the diagram:

  • The same set of workspace groups that grant access to Wayfinder itself is also used in Wayfinder's RBAC implementation.
  • Wayfinder's RBAC implementation is used in Wayfinder's workspaces to control access to Kubernetes clusters managed by Wayfinder.

Wayfinder groups

Use wf get wayfindergroups to view the groups that operate at the platform-level.

viewallRead-only viewer of all workspaces
authenticatedAll authenticated users (implicit - all logged-in users are automatically in this group)


Wayfinder groups are referenced in Wayfinder's web interface as WF User Groups.

To view WF User Groups in Wayfinder's web interface:

  • Click on Settings, and then navigate to Platform setup > User Management > WF user groups
  • Expand the accordion to view the users in each group.
  • Use the Actions tab to view applicable actions such as editing members, useful CLI commands and manifest files.

Workspace groups


There is only one set of workspace groups and they are used to give user access to Wayfinder itself as well as give user access to clusters that Wayfinder manages (RBAC).

Use wf get workspacegroups to view the workspace groups that operate at the workspace-level.

Use wf get wayfindergroups -w WORKSPACE-NAME to view the workspace groups that exist within a particular workspace. Each workspace will inherit Wayfinder's default workspace groups and Workspace owners can optionally create additional workspace groups. As a result, each workspace can have a different set of workspace groups.

Wayfinder's default workspace groups are outlined in the table below.

ownerManages users, groups, access policies and roles within the workspaceAccess to Wayfinder itself & access to the clusters that Wayfinder manages (RBAC)
memberMember of the workspace. No workspace management permissionsAccess to Wayfinder itself & access to the clusters that Wayfinder manages (RBAC)
viewerView only access to all clusters in workspaceAccess to Wayfinder itself & access to the clusters that Wayfinder manages (RBAC)
editorSuper-user access to namespaces in Non-Production. View only access in ProductionAccess to the clusters that Wayfinder manages (RBAC)
secretsviewer-nonprodAccess to secrets in Non-Production, and other sensitive K8s configsAccess to the clusters that Wayfinder manages (RBAC)
secretsviewer-prodAccess to secrets, and other sensitive K8s configsAccess to the clusters that Wayfinder manages (RBAC)
troubleshootingAccess to logs and exec into running containersAccess to the clusters that Wayfinder manages (RBAC)

You can learn how to add existing users to a Workspace Group by visiting the Adding Users topic.

Wayfinder roles

Wayfinder roles permit access to Wayfinder itself. They are either applicable at the platform-level or the workspace-level.

Use wf get wayfinderroles to view all the Wayfinder roles that are available at the platform-level as well as the workspace-level.

The roles below provide access to Wayfinder's platform-level configuration:

adminFull access to all platform-wide objects
cloudaccessmanagerManage cloud access configuration and cloud organisations platform-wide
cloudresourcemanagerManage cloud resource plans
clusterconfigmanagerManage cluster configuration, plans and packages
dnsmanagerManage global DNS zones
networkconfigmanagerManage platform network configuration and network plans
useraccessmanagerManage user access to Wayfinder itself
workspacecreatorAllows creation of workspaces

Roles prefixed with 'workspace.' provide access to workspace-level resources. These are specific to a particular workspace.

workspace.accessmanagerAllows management of access to a workspace and its clusters
workspace.accesstokenmanagerCreate, update and delete workspace access tokens
workspace.adminBasic access for workspace administrators to a workspace
workspace.appdeployerDeploy applications via Wayfinder
workspace.appmanagerCreate, update and delete applications and their environments
workspace.cloudaccessmanagerManage cloud access configuration in a workspace
workspace.clusteraccessMinimal role for all users who need access to any clusters in the workspace
workspace.clusterdeleterDelete clusters and related infrastructure
workspace.clustermanagerCreate and update (but not delete) clusters and manage namespaces
workspace.dnsdeleterDelete workspace DNS zones
workspace.dnsmanagerCreate and update (but not delete) workspace DNS zones
workspace.memberBasic access for all members of a workspace
workspace.namespacemanagerCreate, update and delete namespaces in the workspace clusters
workspace.nonmemberLimited read-only access to a few top-level workspace resources, for non-members
workspace.packagemanagerAllows management of packages in a workspace
workspace.policymanagerManage policy in a workspace
workspace.viewerRead-only access to all objects in a workspace

Wayfinder role bindings

The following roles are available to users in each of the groups.

  • P : Privileges are at the Platform-level.
  • A : Privileges apply across All workspaces.
  • W : Privileges are Workspace-specific.
  • Empty Cell: No privileges

RoleWayfinder Admin GroupWayfinder Viewall GroupWayfinder Authenticated GroupWorkspace Owner GroupWorkspace Member GroupWorkspace Viewer Group
workspace. accessmanagerAW
workspace. accesstokenmanagerAWW
workspace. appdeployerAWW
workspace. appmanagerAWW
workspace. cloudaccessmanagerAW
workspace. clusteraccessAWW
workspace. clusterdeleterAW
workspace. clustermanagerAWW
workspace. dnsmanagerAWW
workspace. namespacemanagerAWW
workspace. nonmemberA
workspace. packagemanagerAW
workspace. policymanagerAW


💬 What is the difference between the workspace.viewer role for a user in the Admin Group vs Workspace Owner Group?

  • The workspace.viewer role for the Wayfinder Admin and the Wayfinder Viewall groups allow view access across all workspaces. In the table above, this type of access is indicated with an 'A'.
  • The same workspace.viewer role for the Workspace Owner, Workspace Member and Workspace Viewer groups allow view access to a specific workspace. In the table above, this type of access is indicated with an 'W'.

This is also true for other roles in the table above where A and W are listed against the same role i.e. workspace.appdeployer.

💬 What happens when a user belongs to mutliple workspaces?

If a user belongs to more than one workspace, then that user is limited to the access that each of the groups provide, for each group that the user is a member of, and to the workspace that the group falls within. Therefore, access for that user may be same or different across workspaces.

For example:

  • User1 is assigned to the workspace member group in workspace CoolApps, so user1 enjoys all the privileges that has been assigned to him and which allows him to deploy applications (i.e. workspace.viewer, workspace.appdeployer, workspace.clusteraccess, workspace.member, etc.).
  • User1 is also assigned to the workspace viewer group in workspace BizApps, so only has workspace.view privileges and will therefore not be able to deploy any applications within BizApps.

💬 What is the difference between workspace groups and Wayfinder groups?

Wayfinder's workspace groups operate at the workspace-level and could:

  • Only grant access to Wayfinder's workspaces itself (via Wayfinder roles and Wayfinder rolebindings), OR
  • Grant access to Wayfinder's workspaces and grant access to the Kubernetes clusters that Wayfinder manages for that workspace (via workspace roles and workspace access policies).

Wayfinder groups grant access to Wayfinder itself and could (via Wayfinder roles and Wayfinder rolebindings):

  • Grant access at the platform-level to administer configurations outside of any workspace i.e. network plans, cloud access configurations, etc.
  • Grant access to Wayfinders workspaces itself without any cluster access permissions. This access is managed internally by Wayfinder and is not visible within Wayfinder's web interface.