This guide provides information on VoltConsole's Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the Volterra platform.

Roles and Privileges

Every user has one or more roles assigned and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in Volterra and an API group defines which all actions (APIs) are allowed under it.

The Volterra RBAC consists of the following types of roles:

1. Default Roles The default roles are predefined in the system and cannot be changed or customised. You can use these roles in controlling the privileges or abilities of users. The following table lists out default roles and the associated privileges:

Note: The column name Category indicates API groups and rest of the column names are the default role names. Values presented in the columns are the allowed privileges.

Category Default Admin Monitor Power-Developer UAM-Admin Billing
ves-io-billing-read Allow Allow Allow Allow
ves-io-billing-write Allow Allow
ves-io-general-read Allow Allow Allow
ves-io-general-write Allow Allow
ves-io-iaas-caas-read Allow Allow Allow
ves-io-iaas-caas-write Allow Allow
ves-io-infra-monitor-read Allow Allow Allow
ves-io-infra-monitor-write Allow
ves-io-infrastructure-read Allow Allow Allow
ves-io-infrastructure-write Allow
ves-io-internal-read Allow Allow
ves-io-internal-write Allow
ves-io-k8s-read Allow Allow Allow
ves-io-k8s-write Allow
ves-io-labels-read Allow Allow Allow
ves-io-labels-write Allow Allow
ves-io-local-k8s-write Allow Allow
ves-io-monitor-read Allow Allow Allow
ves-io-monitor-write Allow Allow
ves-io-network-read Allow Allow
ves-io-network-write Allow
ves-io-proxy-monitor-read Allow Allow Allow
ves-io-proxy-monitor-write Allow Allow
ves-io-proxy-read Allow Allow Allow
ves-io-proxy-security-read Allow Allow Allow
ves-io-proxy-security-write Allow Allow
ves-io-proxy-waf-read Allow Allow Allow
ves-io-proxy-waf-write Allow Allow
ves-io-proxy-write Allow Allow
ves-io-secrets-read Allow Allow Allow
ves-io-secrets-write Allow Allow
ves-io-secure-share-read Allow Allow
ves-io-secure-share-write Allow
ves-io-system-srv6-network-slice-read-write Allow
ves-io-system-virtual-network-read-write Allow
ves-io-uam-read Allow Allow Allow
ves-io-uam-write Allow Allow
ves-io-virtual-sites-read Allow Allow Allow
ves-io-virtual-sites-write Allow Allow
ves-io-volt-share-read Allow Allow
ves-io-volt-share-write Allow
ves-io-web-access-read Allow Allow Allow Allow Allow Allow
ves-io-web-access-write Allow Allow Allow Allow Allow Allow

Note: This table classifies privileges in terms of the Create, Read, Update, and Delete (CRUD) operations. For example, entry Allow for the API groups ves-io-uam-read and ves-io-uam-write against the Admin role means that all CRUD operations are allowed on the API group for the admin role. Each role name in Volterra platform is prefixed with ves-io string and suffixed with role string. For example, the default role is identified by the ves-io-default-role name.

2. Custom Roles

You can create roles and customise them by assigning one or more API groups. These roles can be assigned to users and can also be updated or removed as per the need.

Note: A user is required to have atleast one of the ves-io-monitor-role, ves-io-power-developer-role, ves-io-admin-role roles for a namespace to appear in the namespace dropdown in the VoltConsole.


You must have a valid Volterra Account. If you do not have an account, see Create a Volterra Account.

View RBAC Policy Rules and API Groups

You can view the predefined RBAC policy rules and the various API groups information from the VoltConsole.

Step 1: Log into the VoltConsole and view in-built policies.

Click on the General option in the namespace selector. Click RBAC Policies->Built-in Policy Rules under the IAM option. Click > for any policy from the displayed list to view the policy information in JSON format.

inbuilt rbac new
Figure: In-built RBAC Policy Rules

Note: The api_group_matcher field in the displayed information shows the API groups associated with the rule.

Step 2: View API groups.

Select API Groups from the options pane. Click > for any group from the displayed list to view the group information in JSON format.

apigroup json new
Figure: API Group Information

Note: The elements field in the displayed information shows the APIs associated with the group.

Step 3: View the APIs associated with an API group.

Click Elements field against any API displayed in the list to view the APIs in another window.

apigrp list
Figure: API Group List

apigroup elements
Figure: API Group Elements

Create a Role

Perform the following to create a role and assign API groups to it:

Step 1: Navigate to role configuration and open a role creation form.

Click on the General option in the namespace selector. Click Roles->Create Role under the IAM option.

nav roles new
Figure: Navigate to Roles

Step 2: Select API groups for the role.

Set a name for the role and click Allowed API Groups. Select the API groups as per your choice and click Save to add the API groups to the role. This example creates a custom role infrawatcher with the ves-io-infra-monitor-read and ves-io-infra-monitor-write groups.

api groups
Figure: API Group Selection

Note: Click on the value under the Elements field to view the list of APIs that are part of the associated group.

Step 3: Complete role creation.

Click Save to create the role.

role conf
Figure: Role Configuration and Creation

Create Tenant-Level RBAC Policies

Volterra provides ability to control VoltConsole access through RBAC policies. Tenants can raise service request and provide list of RBAC policies to apply to VoltConsole access.

RBAC policy rules are same as service policy rules. For example, tenant can request to enable a rule to allow or deny access based on parameters such as source IP address, ASN, country, etc. See Service Policy API for more information.

When this tenant-level RBAC policy is enabled, it is prioritized over any user-defined and shared RBAC policies.

See Raise Support Request for instructions on how to raise support requests.