Orgs, Spaces, Roles, and Permissions

Page last updated: October 14, 2015

Cloud Foundry uses role-based access control (RBAC), with each role granting permissions in either an org or a space.

Orgs

An org is a development account that an individual or multiple collaborators can own and use. All collaborators access an org with user accounts. Collaborators in an org share a resource quota plan, applications, services availability, and custom domains.

User Accounts

A user account represents an individual person within the context of a Cloud Foundry installation. A user can have different roles in different spaces within an org, governing what level and type of access they have within that space.

Spaces

Every application and service is scoped to a space. Each org contains at least one space. A space provides users with access to a shared location for application development, deployment, and maintenance. Each space role applies only to a particular space.

Roles and Permissions

A user can have one or more roles. The combination of these roles defines the user’s overall permissions in the org and within specific spaces in that org.

Org Roles and Permissions

Org Manager

Assign this role to managers or other users who need to administer the account.

An Org Manager can do the following:

  • Add and manage users
  • View users and edit org roles
  • View the org quota
  • Create, view, edit, and delete spaces
  • Invite and manage users in spaces
  • View the status, number of instances, service bindings, and resource use of each application in every space in the org
  • Add domains

Note: An Org Manager needs explicit administrator permissions to perform certain actions. Refer to the Creating and Managing Users with the UAA CLI (UAAC) topic to learn how to create a user with admin rights.

Org Auditor

Assign this role to people who need to view but not edit user information and org quota usage information.

An Org Auditor can do the following:

  • View users and org roles
  • View the org quota

Billing Manager

Assign this role to people who need to create and manage billing account and payment information.

A Billing Manager can do the following:

  • Set the org spending limit
  • Create and set payment information
  • Read invoices and payment history
  • Create and edit the invoice notification email addresses

Note: The Billing Manager role is only relevant for Cloud Foundry environments deployed with a billing engine.

Space Roles and Permissions

Space Manager

Assign this role to managers or other users who need to administer a space.

A Space Manager can do the following:

  • Add and manage users in the space
  • View the status, number of instances, service bindings, and resource use of each application in the space

Space Developer

Assign this role to application developers or other users who need to manage applications and services in a space.

A Space Developer can do the following:

  • Deploy an application
  • Start or stop an application
  • Rename an application
  • Delete an application
  • Create, view, edit, and delete services in a space
  • Bind or unbind a service to an application
  • Rename a space
  • View the status, number of instances, service bindings, and resource use of each application in the space
  • Change the number of instances, memory allocation, and disk limit of each application in the space
  • Associate an internal or external URL with an application

Space Auditor

Assign this role to people who need to view but not edit the space.

A Space Auditor can do the following:

  • View the status, number of instances, service bindings, and resource use of each application in the space