Set up users
Authentication​
Calico Cloud supports Google Social login and username / password for user authentication.
Roles and authorization​
Users can have one or more of the following predefined user roles to access features in the web console. The default permissions align with typical needs for each role.
Owner​
The Owner role has the highest level of access and typically corresponds to the account creator.
The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | view |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view, edit |
Admin​
The Admin role provides broad administrative access for day-to-day configuration and management of Calico Cloud.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view, edit |
Viewer​
The Viewer role provides read-only access to most operational and configuration data within Calico Cloud. Ideal for users who need visibility without making changes.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | view |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view |
| Kibana | view |
| Image Assurance | - |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view |
| Web Application Firewall | view |
| Container Threat Detection | view |
| Dashboards | view |
DevOps​
The DevOps role is designed for users responsible for application deployment, CI/CD integration, and managing network policies and configurations relevant to their applications.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit |
| Compliance Reports | - |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view |
| Container Threat Detection | view |
| Dashboards | view |
Security​
The Security role focuses on security posture management, including policy definition, threat monitoring, vulnerability management (Image Assurance), and incident response.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Kibana | view, edit |
| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Container Threat Detection | view, edit |
| Dashboards | view |
Compliance​
The Compliance role provides focused access to compliance reporting and related policy information, suitable for auditors or compliance officers.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | view |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Usage Metrics​
This role grants specific access to view usage metrics for the Calico Cloud account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | view |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Image Assurance Admin​
This role provides administrative control specifically over the Image Assurance feature, including configuring registries, policies, and viewing scan results.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | view, edit |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | - |
Dashboards Admin​
This role grants administrative permissions specifically for creating, managing, and sharing custom dashboards within Calico Cloud.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Kibana | - |
| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Container Threat Detection | - |
| Dashboards | view, edit |
Add your own identity provider​
Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.
To add an identity provider, open a Support ticket.
Azure AD requirements​
To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.
Enable "ID Token" for implicit flows.
Add the following Microsoft Graph API delegated permissions:
- User.Read
- OpenId permissions:
- openid
- profile