Skip to main content
Version: User Guides (Cloud)

Manage Cluster Roles (Console)

A cluster role defines the privileges that a user has within the cluster. More specifically, the cluster role controls a cluster user's privileges on the cluster, database, and collection level.

Zilliz Cloud provides two types of cluster roles: built-in roles and customs roles.

To manage cluster roles, you must be an Organization Owner or a Project Admin or have a role with Cluster_Admin privileges.

Built-in cluster roles

Zilliz Cloud provides three built-in cluster roles with different privileges commonly needed in a vector database system. The built-in roles cannot be edited or dropped.

Custom cluster roles

Custom roles provide the flexibility to grant tailored privileges at the cluster, database, and collection levels, unlike built-in roles which offer predefined access.

For collection-level access control, it is recommended to create custom roles.

📘Notes

This feature is exclusively available to Dedicated clusters.

Currently, Zilliz Cloud only supports creating custom roles with built-in privilege groups. If you need to create custom roles with user-defined privileges and privilege groups, please contact us.

Create a custom cluster role

  1. Navigate to the Roles tab of the target cluster. Click + Cluster Role.

    add-cluster-role

  2. Enter the role name

  3. Configure the privileges on the collection, database, and cluster level. Select a privilege group and then select the target resource.

    Zilliz Cloud provides 9 privilege groups in total:

    • Collection Privilege Group: Admin (col_admin), Read-Write (col_rw), Read-Only (col_ro)

    • Database Privilege Group: Admin (db_admin), Read-Write (db_rw), Read-Only (db_ro)

    • Cluster Privilege Group: Admin (cluster_admin), Read-Write (cluster_rw), Read-Only (cluster_ro)

    For details about the specific privileges in each privilege group, refer to Privileges Explained.

    📘Notes

    The three levels of built-in privilege groups do not have a cascading relationship. Setting a privilege group at the instance level does not automatically set permissions for all databases and collections under that instance. Privileges at the database and collection levels need to be set manually.

    If you need to create your own privilege group, please contact us.

    add-cluster-role-form

  4. Click Create. Each cluster can have up to 20 custom cluster roles.

Grant a role to a user

Once a cluster role is created, you can grant it to users. Navigate to the Users tab, grant the role either when you create a new cluster user or when you edit the role of an existing cluster user.

grant-role-to-user

Revoke a role from a user

When a cluster role is no longer fit for a user, you can revoke the role. Navigate to the Users tab, find the target user, and click edit role. Select a different role in the dialog box.

revoke-role-from-user

Edit a custom cluster role

You can adjust the privileges of a custom cluster role. The adjustment will be applied to all users who are granted this role.

edit-custom-role

Delete a custom cluster role

When a role is no longer necessary, you can adjust the privilege of a custom cluster role.

Roles that have been granted to users cannot be delete. You need to first identify the users who are granted the target role, and then assign them a different role.

delete-cluster-role