GlobalRole Resource
GlobalRoles are cluster-scoped resources defined in themanagement.cattle.io/v3 API group.
API Definition: pkg/apis/management.cattle.io/v3/authz_types.go:142-190
Specification
Fields
displayName
Human-readable name displayed in the Rancher UI.description
Text that describes the role’s purpose.rules
Array of Kubernetes RBAC PolicyRules applied only to the local management cluster. These rules define what actions the role can perform on local cluster resources.inheritedClusterRoles
List of RoleTemplate names whose permissions are granted in every downstream cluster (excluding the local cluster). Use this to grant cluster-level permissions across all managed clusters. Example: A GlobalRole withinheritedClusterRoles: ["cluster-owner"] gives users cluster-owner permissions on all downstream clusters.
namespacedRules
Map of namespace names to PolicyRules. These rules are active in specific namespaces of the local cluster only. Keys are exact namespace names (no wildcards). Common use case: Granting access to secrets incattle-global-data or fleet-default namespaces.
inheritedFleetWorkspacePermissions
Permissions granted in all Fleet workspaces except the local one. Sub-fields:resourceRules- Rules granted in backing namespaces for all Fleet workspacesworkspaceVerbs- Verbs for cluster-wide fleetworkspace resources
newUserDefault
Iftrue, all new users automatically receive a binding to this GlobalRole.
Example: The built-in “user” role has newUserDefault: true to grant baseline permissions to all users.
builtin
Iftrue, this GlobalRole was created by Rancher and is immutable. Users cannot modify or delete built-in roles.
GlobalRoleBinding
GlobalRoleBindings associate a subject (user or group) with a GlobalRole. API Definition:pkg/apis/management.cattle.io/v3/authz_types.go:230-257
Specification
Fields
All subject and role fields are immutable after creation.userName
Name of the Rancher User resource to bind.userPrincipalName
Name of a user principal to bind (e.g.,keycloak_user://userid).
groupPrincipalName
Name of a group principal to bind (e.g.,keycloak_group://groupid).
Note: Specify exactly one of: userName, userPrincipalName, or groupPrincipalName.
globalRoleName
Name of the GlobalRole to bind to the subject.Status
GlobalRoleBindings track status separately for local and remote controllers:Built-in Global Roles
Rancher creates several built-in GlobalRoles during initialization. Source:pkg/data/management/role_data.go:36-103
admin
Full administrative access to all Rancher resources. Permissions:- All verbs on all resources in all API groups
- Access to all non-resource URLs
user
Standard user role with ability to create clusters and manage own resources. Key Permissions:- Create clusters and node templates
- View node drivers, Kontainer drivers, and settings
- Manage own tokens and kubeconfigs
- Create secrets in
cattle-global-dataandfleet-defaultnamespaces - Create Fleet workspaces
newUserDefault: true - automatically assigned to new users.
Bootstrapping: The “user” role is set as the default for new logins during the bootstrap process.
Source: pkg/data/management/role_data.go:579-596
user-base
Minimal permissions for any authenticated user. Permissions:- Update own user activity
- Create password change requests
- Manage own tokens and kubeconfigs
- View settings, features, and notifications
- Manage preferences
clusters-create
Allows creating new Kubernetes clusters. Permissions:- Create
clustersinmanagement.cattle.ioandprovisioning.cattle.io - Create machine configs in
rke-machine-config.cattle.io - View templates, node drivers, Kontainer drivers, and PSA templates
- View cluster repos and etcd snapshots
- Create secrets in
cattle-global-dataandfleet-default
Additional Specialized Roles
- nodedrivers-manage - Manage node driver resources
- kontainerdrivers-manage - Manage Kontainer driver resources
- users-manage - Manage users, passwords, and global role bindings
- roles-manage - Manage RoleTemplates
- authn-manage - Manage authentication providers
- settings-manage - Manage Rancher settings
- features-manage - Manage feature flags
- view-rancher-metrics - View Rancher metrics
User Management
Bootstrap Admin User
During initial startup, Rancher creates a default admin user if none exists. Process:- Check if
bootstrapAdminConfigConfigMap exists incattle-systemnamespace - If not, and no users exist, create admin user with label
authz.management.cattle.io/bootstrapping: admin-user - Generate or use provided bootstrap password
- Create GlobalRoleBinding to “admin” GlobalRole
- Create ConfigMap to prevent recreation
pkg/data/management/role_data.go:421-573
New User Defaults
When a new user logs in:- Rancher searches for GlobalRoles with
newUserDefault: true - Automatically creates GlobalRoleBindings for each matching role
- User immediately receives baseline permissions without admin intervention
Permission Propagation
Local Cluster Permissions
Therules field in a GlobalRole translates directly to:
- A ClusterRole in the local cluster with the same name
- ClusterRoleBindings for each GlobalRoleBinding subject
Downstream Cluster Permissions
TheinheritedClusterRoles field creates:
- ClusterRoleTemplateBindings in each downstream cluster
- Bindings reference the specified RoleTemplate names
- Permissions are inherited as those RoleTemplates define
Namespaced Permissions
ThenamespacedRules field creates:
- Role resources in each specified namespace
- RoleBindings in those namespaces for each subject
Common Patterns
Creating a Custom Global Role
Grant read-only access to all clusters:Binding a User to a Global Role
Binding a Group to a Global Role
Troubleshooting
Check GlobalRoleBinding Status
status.summary field:
Complete- All permissions successfully appliedError- Checkstatus.conditionsfor details
Verify Local Cluster Permissions
Check that ClusterRole and ClusterRoleBinding were created:Verify Downstream Cluster Permissions
Check for ClusterRoleTemplateBindings in downstream clusters:Related Resources
- RBAC Model - Overview of Rancher’s authorization system
- Cluster Roles - Cluster-scoped permissions
- Project Roles - Project-scoped permissions