Permission sets
Permission sets grant users access to resources within a project. Each permission set links a user (identified by email address) to a permission level.
How permission sets work
A permission set defines:
- User identity - The email address of the user receiving access
- Permission level - The type of access granted (admin)
- Scope - Where the permissions apply
When you create a permission set with the admin flag set to true, the user receives administrator rights.
Permission levels
The IAM service currently supports only admin permissions. Admin users can:
- Create, update, and delete resources
- View all resources and their configurations
- Manage permission sets for other users
- Access billing and quota information
Note: More granular permission levels are coming soon.
Managing permission sets
Use the evroc CLI to manage permission sets:
# Grant admin access
evroc iam permissionset create alice-admin --admin --email alice@example.com
# List permission sets
evroc iam permissionset list
# Remove access
evroc iam permissionset delete alice-admin
For step-by-step instructions, see Manage permissions.
Best practices
-
Use project-scoped permissions for most users - Most users only need access to specific projects. Use project-scoped permission sets to limit access.
-
Review permissions regularly - Periodically audit permission sets to ensure users have appropriate access levels. Remove permission sets for users who no longer need access.
-
Use descriptive names - Name permission sets clearly to indicate the user and purpose, such as
alice-admin.