> ## Documentation Index
> Fetch the complete documentation index at: https://docs.risingwave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Role-based access control (RBAC)

> In RisingWave Cloud, Role-based access control (RBAC) system empowers organizations to precisely manage access permissions based on their roles. Among RisingWave Cloud users in the organization, each user is associated with a pre-defined role. The organization administrator will have permission to edit the roles of all the members, whereas other members will have access to different subsystems depending on their roles.

## Security principal

A security principal refers to an entity that is authenticated and authorized to perform various operations and access resources in RisingWave Cloud. You can assign a role to any of these security principals:

* Service account: Typically represents an application. It accesses RisingWave Cloud resources on the application's behalf, using API keys for authentication.
* User: Typically represents an individual user who interacts with resources via the user interface.

## Role permissions and limitations

Below are permissions and limitations for roles to ensure that each service account or user has appropriate access tailored to their responsibilities.

To grant a role to your account, go to [Organization](https://www.risingwave.cloud/project/organization/service-account/) > Role management, then click **Edit roles** on the right side.

| Role               | Permissions                                                                                                                                          | Limitations                                                                                                                                                                                          |
| :----------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| OrganizationAdmin  | Full control over tenants and related resources.Management of service accounts, users, invitations, and RoleBinding.Access to all billing resources. | Cannot modify their own admin RoleBinding.                                                                                                                                                           |
| OrganizationMember | View access to all tenants.View service accounts, users, and invitations.                                                                            | No permissions for tenant-related operations (create, update, delete).No permissions for service accounts, users, or invitations operations (create, update, delete).No access to billing resources. |
| BillingManager     | Full access to all billing resources.                                                                                                                | No access to any other operations outside of billing.                                                                                                                                                |
| ProjectAdmin       | Full access to operations related to any tenants.                                                                                                    | No access to billing operations, service accounts, users, or invitations.                                                                                                                            |

## RoleBinding

RoleBindings ensure that only authorized entities have access to resources and operations based on their defined roles.

### Prerequisite

Only the OrganizationAdmin has the permission to manage user's RoleBinding.

### Scenario

| User scenarios                                    | Description                                                                                                                                                                                                                                                                                                                                                                |
| :------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Invite a user to the organization                 | Currently, you can only invite a new user as an OrganizationMember. If you want to grant more permissions to the target user, please go to **Organization** > **Role management** > **Users** to modify after the user accepts the invitation.                                                                                                                             |
| Create a service account in the organization      | The service account RoleBinding is used for authorization when accessing Cloud APIs using the service account's API keys. By default, the service account is assigned the read-only OrganizationMember role. If you need to assign more permissions to the service account, please go to **Organization** > **Role management** > **Service Accounts** to add other roles. |
| Delete or add RoleBinding for a user              | Go to **Organization** > **Role management** > **Users**, click the corresponding Edit Roles of the specific role. A popup window will appear, allowing you to uncheck the role or select the new ones. Click **Confirm** to save the change.                                                                                                                              |
| Delete or add RoleBinding for the service account | Go to **Organization** > **Role management** > **Users**, click the corresponding Edit Roles of the specific service account. A popup window will appear, allowing you to uncheck the role or select the new ones. Click **Confirm** to save the change.                                                                                                                   |

<Note>
  Every organization needs at least one OrganizationAdmin user. Any attempt to delete the last OrganizationAdmin RoleBinding will fail.
</Note>
