Manage Cluster Roles (Console)

A cluster role defines the privileges that a user has within the cluster. More specifically, the cluster role controls a cluster user's privileges on the cluster, database, and collection level.

Zilliz Cloud provides two types of cluster roles: built-in roles and customs roles.

To manage cluster roles, you must be an Organization Owner or a Project Admin or have a role with Cluster_Admin privileges.

Built-in cluster roles

Zilliz Cloud provides three built-in cluster roles with different privileges commonly needed in a vector database system. The built-in roles cannot be edited or dropped.

• Admin: A Cluster Admin role has full privileges to manage a cluster and all its resources (databases, collections).

  The following table lists the corresponding UI and API privileges of this role.

  UI Privileges	Data Plane RESTful API (V2) Privileges
  Manage the cluster properties (CU size, Replica count, auto-scale) Manage collections and indexes View cluster metrics Manage cluster users and roles Manage cluster backups	All collection operations All index operations All partition operations All vector operations All alias operations All role operations All user operations

• Read-Write: A Cluster Read-Write role has the privileges to view a cluster and manage all its resources (databases, collections).

  The following table lists the corresponding UI and API privileges of this role.

  UI Privileges	Data Plane RESTful API (V2) Privileges
  Manage collections and indexes View cluster metrics View cluster users and roles View cluster backups	All collection operations All index operations All partition operations All vector operations All alias operations

• Read-Only: A Cluster Read-Only role has the privileges to view a cluster and its resources (databases, collections).

  The following table lists the corresponding UI and API privileges of this role.

  UI Privileges	Data Plane RESTful API (V2) Privileges
  View collections and indexes View cluster metrics View cluster users and roles View cluster backups	Part of collection operations Describe Collection Get Collection Load State Get Collection Stats Has Collection List Collections Part of index operations Describe Index List Indexes Part of partition operations Get Partition Statistics Has Partition List Partitions Part of alias operations Describe Alias List Aliases

Custom cluster roles

Custom roles provide the flexibility to grant tailored privileges at the cluster, database, and collection levels, unlike built-in roles which offer predefined access.

For collection-level access control, it is recommended to create custom roles.

📘Notes

This feature is exclusively available to Dedicated clusters.

Currently, Zilliz Cloud only supports creating custom roles with built-in privilege groups on the web console. If you need to create custom roles with specific privileges or custom privilege groups, please create a support ticket first so that we can enable this feature for you. Once the feature is enabled, you can use the SDKs to create custom privilege groups.

Create a custom cluster role

1. Navigate to the Roles tab of the target cluster. Click + Cluster Role.

   

2. Enter the role name.

3. Configure the privileges on the collection, database, and cluster level. Select a built-in privilege group and then select the target resource.

   Zilliz Cloud provides 9 built-in privilege groups in total:

   • Collection Privilege Group: Admin (COLL_ADMIN), Read-Write (COLL_RW), Read-Only (COLL_RO)

   • Database Privilege Group: Admin (DB_Admin), Read-Write (DB_RW), Read-Only (DB_RO)

   • Cluster Privilege Group: Admin (Cluster_Admin), Read-Write (Cluster_RW), Read-Only (Cluster_RO)

   📘Notes

   The three levels of built-in privilege groups do not have a cascading relationship. Setting a built-in privilege group at the instance level does not automatically set permissions for all databases and collections under that instance. Privileges at the database and collection levels need to be set manually.

   For details about the specific privileges in each built-in privilege group, refer to Privileges & Privilege Groups.

   

4. Click Create. Each cluster can have up to 20 custom cluster roles.

Grant a role to a user

Once a cluster role is created, you can grant it to users. Navigate to the Users tab, grant the role either when you create a new cluster user or when you edit the role of an existing cluster user.

Revoke a role from a user

When a cluster role is no longer fit for a user, you can revoke the role. Navigate to the Users tab, find the target user, and click edit role. Select a different role in the dialog box.

Edit a custom cluster role

You can adjust the privileges of a custom cluster role. The adjustment will be applied to all users who are granted this role.

Delete a custom cluster role

When a role is no longer necessary, you can delete a custom cluster role.

Roles that have been granted to users cannot be delete. You need to first identify the users who are granted the target role, and then assign them a different role.