Skip to main content
Version: latest

VM User Roles and Permissions

You must configure roles and role binding before any user, including you as administrator, can access Palette Virtual Machine Orchestrator (VMO). There are two sets of roles: Cluster Roles and Palette Roles, along with the required bindings configuration.

Palette provides the following four out-of-the-box Cluster roles for Palette Virtual Machine Orchestrator. The table also lists the corresponding Palette roles.

Cluster RoleDescriptionRestrictionsPalette Role
spectro-vm-adminHas admin privileges to manage the Kubernetes cluster, VMs, and templates.NoneCluster Admin or

Cluster Profile Admin or Editor

Virtual Machine Admin
spectro-vm-power-userCan perform most VM operations, but does not handle infrastructure aspects.Cannot manage or administer the
Kubernetes cluster.

Cannot manage or update VM templates.
Cluster Viewer

Virtual Machine Power User
spectro-vm-userPrimarily uses VMs created by others.Cannot launch new VMs or clone existing ones.

Cannot delete VMs.

Cannot migrate VMs from one node to another.
Cluster Viewer

Virtual Machine User
spectro-vm-viewerA view-only role.Cannot perform any of the operations offered to the above users.Cluster Viewer

Virtual Machine Viewer


These roles are currently only relevant to access Palette Virtual Machine Orchestrator APIs. To access the Virtual Machines console, users must have permissions to access the host clusters. These permissions can be granted through the default Kubernetes roles Admin/Editor/Viewer.

You can create additional roles based on the permissions granularity that Palette offers. Palette provides the ability to specify bindings to configure granular Role-Based Access Control (RBAC) rules.

You can configure namespaces and RBAC from within a cluster or from a Palette workspace that contains a cluster group. In a cluster group, all RoleBindings must occur at the namespace level. For details, review the Cluster RBAC and workspace RBAC guides.

Palette leverages Regex Pattern matching so you can select multiple namespaces to apply role bindings. Check out Regex for Namespaces to learn more.