diff --git a/docs/docs/30-how-to-guides/30-managing-user-permissions.md b/docs/docs/30-how-to-guides/30-managing-user-permissions.md index 57aabce2a..ff57fa38d 100644 --- a/docs/docs/30-how-to-guides/30-managing-user-permissions.md +++ b/docs/docs/30-how-to-guides/30-managing-user-permissions.md @@ -273,6 +273,21 @@ kargo delete role developer --project kargo-demo role.rbac.kargo.akuity.io/developer deleted ``` +## Kargo Role Matrix + +The table below outlines the maximum rules required based on the `kargo-admin` ClusterRole. When specifying verbs, it's recommended to apply the principle of least privilege, ensuring access is limited to what is necessary for the specific role. + +| **API Groups** | **Resources** | **Verbs** | +|-----------------------------|------------------------------------------------|-----------------------------------------------------| +| `""` | `events`, `namespaces`, `serviceaccounts` | `get`, `list`, `watch` | +| `rbac.authorization.k8s.io` | `rolebindings`, `roles` | `get`, `list`, `watch` | +| `kargo.akuity.io` | `freights`, `projects`, `stages`, `warehouses` | `*` | +| `kargo.akuity.io` | `stages` | `promote` | +| `kargo.akuity.io` | `promotions` | `create`, `delete`, `get`, `list`, `patch`, `watch` | +| `kargo.akuity.io` | `freights/status` | `patch` | +| `argoproj.io` | `analysisruns` | `delete`, `get`, `list`, `watch` | +| `argoproj.io` | `analysistemplates` | `*` | + ## Global Mappings In cases where certain, broad sets of permissions may be required by a large