Permission sets

Permission sets grant users access to resources within your organization. Each permission set links a user (identified by email address) to a permission level.

How permission sets work

A permission set defines:

  • User identity - The email address of the user receiving access
  • Permission level - The type of access granted (admin)
  • Scope - Where the permissions apply

When you create a permission set with the --admin flag, the user receives administrator access.

Permission levels

The IAM service supports admin permissions. Admin users can:

  • Create, update, and delete resources
  • View all resources and their configurations
  • Manage permission sets for other users
  • Access billing and quota information

Note: The IAM service only supports admin permissions. More granular permission levels aren't yet available.

Permission scope

Permission sets can grant access at different scopes:

Organization-wide access

Creating a permission set with --admin grants organization-wide administrator access. The user can manage all projects and resources across the entire organization.

Project-scoped access

Permission sets created within a project grant access only to that project's resources. This lets you give users access to specific projects without organization-wide permissions.

Managing permission sets

Use the evroc CLI to manage permission sets:

# Grant admin access
evroc iam permissionset create alice-admin --admin --email alice@example.com

# List permission sets
evroc iam permissionset list

# Remove access
evroc iam permissionset delete alice-admin

For step-by-step instructions, see Manage permissions.

Best practices

  1. Use organization-wide permissions sparingly - Grant organization-wide admin access only to users who need to manage all projects.

  2. Use project-scoped permissions for most users - Most users only need access to specific projects. Use project-scoped permission sets to limit access.

  3. Review permissions regularly - Periodically audit permission sets to ensure users have appropriate access levels. Remove permission sets for users who no longer need access.

  4. Use descriptive names - Name permission sets clearly to indicate the user and purpose, such as alice-admin or bob-dev-access.