Skip to main content
Version: User Guides (Cloud)

User Roles

In Zilliz Cloud, Role-based Access Control (RBAC) is pivotal for delineating permissions across organizations, projects, and clusters. This system allows organization and project owners to efficiently manage user roles and access, maintaining streamlined operations and security.

For a deeper understanding of how organizations and projects are structured, refer to Resource Hierarchy.

Organization roles

To manage access and actions at the organization level, Zilliz Cloud introduces two organization roles, delineating who can access which modules and perform specified actions.

  • Organization Owner: has full administration access to the organization, including organization settings, all projects in the organization, and associated resources.

  • Organization Member: has limited access to the organization, where they can view organization settings and invite users to join the organization. The specific scope of permission on project- and cluster-level resources owned by an organization member is determined by their project roles.

Project roles

At the project level, two roles are introduced to enable finer-grained access control:

  • Project Owner: has full administration access to the project, including project settings, all clusters in the project, and associated resources.

  • Project Member: has read and write access to clusters within the project, where they can view cluster details and manage collections and indexes.

Cluster built-in roles

Default user with Admin role

Upon the creation of a cluster in Zilliz Cloud, a default cluster user, named db_admin, is established. Zilliz Cloud automatically generates the password for this user. Equipped with the Admin role, the db_admin user has full access to all cluster-level resources and operations.

📘Notes

The creator of the cluster is automatically assigned the Admin role.

Additional users with built-in roles

In addition to the default db_admin user, you can also add and manage extra cluster users, each with distinct built-in roles.

The system categorizes cluster built-in roles into the following types, each defining the extent of permissions for cluster users:

  • Admin: Full control over the cluster and associated resources.

  • Read-Write: Permission to read, write, and manage collections and indexes within the cluster.

  • Read-Only: Viewing rights for most cluster resources, but no creation, modification, or deletion capabilities.

To manage cluster users with various roles, see Manage Cluster Credentials.

📘Notes
  • These built-in roles are only applicable to dedicated clusters. Serverless clusters support only the Read-Write role. For more information on cluster types, see Select the Right Cluster Plan.

  • If you encounter an error while using the built-in roles feature with a dedicated cluster, please contact us for troubleshooting assistance.

Access levels

Platform RoleUI OperationAPI Operation
Organization & Project
Organization Owner
Grants full access to the organization:
- Full access to all projects in the organization;
- Full access to payments & billing;
- Manage API keys;
- Manage organization users;
- Full access to metrics & alerts;
- View activities;
- Manage organization settings;
- Use recycle bin.
RESTful
- Cloud (list cloud providers & regions)
- Cluster (create, list, describe, dop, modify, resume, suspend, create serverless, list projects)
- Import (import, get import progress, list import jobs)

- Pipeline (describe, create, list, run, drop)

- Collection (list, create, describe, drop)
- Vector (delete, insert, search, query, get, upsert)
SDKs (Python, Java, Go, Node.js)
- Credential (create, delete, list, update, addUserToRole, selectUser)
- Alias (create, drop, describe, alter, list)
- System (getVersion, checkHealth)
- Collection (create, drop, describe, show, load, release, flush, getFlushState, compaction, getStatistics, rename)
- Partition (create, drop, hasPartition, load, release, show)
- Index (create, drop, getIndexState, getIndexBuildProgress, describeIndex)
- Vector (search, insert, delete, get, query)
Project OwnerGrants full access to the project:
- Full access to clusters and pipelines in the project;
- Manage project users;
- Restricted access to API keys;

- Access to whitelist and private link;

- Access to project alerts.
RESTful
- Cloud (list cloud providers & regions)
- Cluster (create, list, describe, dop, modify, resume, suspend, create serverless, list projects)
- Import (import, get import progress, list import jobs)

- Pipeline (describe, create, list, run, drop)

- Collection (list, create, describe, drop)
- Vector (delete, insert, search, query, get, upsert)
SDKs (Python, Java, Go, Node.js)
- Credential (create, delete, list, update, addUserToRole, selectUser)
- Alias (create, drop, describe, alter, list)
- System (getVersion, checkHealth)
- Collection (create, drop, describe, show, load, release, flush, getFlushState, compaction, getStatistics, rename)
- Partition (create, drop, hasPartition, load, release, show)
- Index (create, drop, getIndexState, getIndexBuildProgress, describeIndex)
- Vector (search, insert, delete, get, query)
Project MemberGrants read/write access to clusters in the project:
- View clusters and pipelines, but cannot create or manage them;
- Manage collections & indexes.
RESTful
- Cloud (list cloud providers & regions)
- Import (import, get import progress, list import jobs)

- Pipeline (describe, create, list, run, drop)

- Collection (list, create, describe, drop)
- Vector (delete, insert, search, query, get, upsert)
SDKs (Python, Java, Go, Node.js)
- Alias (create, drop, describe, alter, list)
- System (getVersion, checkHealth)
- Collection (create, drop, describe, show, load, release, flush, getFlushState, compaction, getStatistics, rename)
- Partition (create, drop, hasPartition, load, release, show)
- Index (create, drop, getIndexState, getIndexBuildProgress, describeIndex)
- Vector (search, insert, delete, get, query)
Cluster Built-in Role
Admin (db_admin)Grants full access to the cluster.RESTful
- Collection (list, create, describe, drop)
- Vector (delete, insert, search, query, get, upsert)
SDKs (Python, Java, Go, Node.js)
- Credential (create, delete, list, update, addUserToRole, selectUser)
- Alias (create, drop, describe, alter, list)
- System (getVersion, checkHealth)
- Collection (create, drop, describe, show, load, release, flush, getFlushState, compaction, getStatistics, rename)
- Partition (create, drop, hasPartition, load, release, show)
- Index (create, drop, getIndexState, getIndexBuildProgress, describeIndex)
- Vector (search, insert, delete, get, query)
Read-Write (db_rw)
Grants read/write access to the cluster.RESTful
- Collection (list, create, describe, drop)
- Vector (delete, insert, search, query, get, upsert)
SDKs (Python, Java, Go, Node.js)
- System (getVersion, checkHealth)
- Alias (create, drop, describe, alter, list)
- Collection (create, drop, describe, show, load, release, flush, getFlushState, rename)
- Partition (create, drop, hasPartition, load, release, show)
- Index (create, drop, getIndexState, getIndexBuildProgress, describeIndex)
- Vector (search, insert, delete, get, query)
Read-Only (db_ro)Grants read-only access to the cluster.RESTful
- Collection (list, describe)
- Vector (search, query, get)
SDKs (Python, Java, Go, Node.js)
- Alias (describe, list)
- System (getVersion, checkHealth)
- Collection (describe, show, load)
- Partition (hasPartition, show)
- Index (getIndexState, getIndexBuildProgress, describeIndex)
- Vector (search, get, query)