Konnect teams and roles

Uses: Konnect Platform

Access precedence

Users can be part of any number of teams, and the roles gained from the teams are additive. For example, if you add a user to both the Service Developer and Portal Viewer teams, the user can create and manage Services through API Products and register applications through the Dev Portal.

If two roles provide access to the same entity, the role with more access takes effect. For example, if you have the Service Admin and Service Deployer roles on the same Service, the Service Admin role takes precedence.

Geographic region assignment

Teams and roles can be assigned to a specific geographic region in Konnect. Those teams and roles only access Konnect objects, such as Services, that are also located in the same geo they are assigned to.

Teams

A team is a group of users with access to the same roles. Teams are useful for assigning access by functionality, where they can provide granular access to any group of Konnect resources based on roles.

You can create and manage teams by navigating to Organization > Teams in Konnect.

Predefined teams

All new and existing organizations in Konnect have predefined default teams. The default teams can’t be modified or deleted.

Team	Description
Analytics Admin	Users can fully manage all Analytics content, which includes creating, editing, and deleting reports, as well as viewing the analytics summary. They also have roles for Dashboard Creator, Dashboard Admin (for all instances), Report Creator, and Report Admin (for all instances).
Analytics Viewer	Users can view the Analytics summary and report data. They also have roles for Dashboard Viewer and Report Viewer for all instances.
Organization Admin	Users can fully manage all entities and configuration in the organization. In addition to users granted the Organization Admin role, each organization also has one Owner, who always has this role and is the only user who can delete the organization.
Organization Admin (Read Only)	Users can view all entities and configuration in the organization.
Portal Admin	Users can fully manage all Dev Portal content, which includes Konnect service pages and supporting content, as well as Dev Portal configuration and Service connections. To manage app registration requests, members must also be assigned to the Admin or Maintainer roles for the corresponding Services.
API Product Admin	Users can create and manage API products, including publishing API product versions to Dev Portal and enabling application registration. API Product roles only apply to classic Dev Portals (v2). We recommend migrating to the new Dev Portal (v3) and using Catalog API roles instead.
API Product Developer	Users can create and manage versions of API products. API Product roles only apply to classic Dev Portals (v2). We recommend migrating to the new Dev Portal (v3) and using Catalog API roles instead.
Control Plane Admin	Users can create and manage Control Planes.

Create a custom team

Custom teams let organizations manage user access by grouping roles and permissions.

Any user added to a custom team automatically inherits all roles assigned to that team.

To create and configure a custom team:

Create the team
Send a POST request to the /teams endpoint with the name and description in the request body. Save the team_id from the response.
Assign roles to the team
Send a POST request to the /assigned-roles endpoint to grant the team specific roles.
Add users to the team
To give a user access to the team’s roles, you must assign them to the team.
Send a POST request to the /users endpoint. Users can belong to multiple teams and inherit roles from each.
(Optional) Enable group-to-team mappings
If single sign-on (SSO) is enabled, you can configure Konnect to automatically map users to teams based on group claims from your IdP. To do this, send a PUT request to the /team-mappings endpoint with team_ids in the request body.

Dev Portal custom teams

You can use custom Konnect to create Dev Portal teams for common Dev Portal personas. The following table details the Dev Portal roles you can assign to each custom team:

Persona	Custom team description	Dev Portal roles
API Platform Owner	An API Platform Owner has full access to create, configure, and delete resources related to APIs, Portals, and Applications.	Portal Creator Portal Admin Application Auth Strategy Creator Application Auth Strategy Maintainer DCR Provider Creator DCR Provider Maintainer API Creator API Admin API Publisher
API Security Owner	An API Security Owner can create, update, and delete auth strategies used between APIs and Applications.	Application Auth Strategy Creator Application Auth Strategy Maintainer DCR Provider Creator DCR Provider Maintainer
Portal Owner	A Portal Owner has full access to configure a Dev Portal and manage applications in a Dev Portal.	Portal Admin for a specific Dev Portal Application Auth Strategy Viewer for a specific auth strategy API Viewer for APIs they can approve access to (optional) API Publisher for specific APIs
Portal Maintainer	A Portal Maintainer has full access to configure a Dev Portal and manage applications in a Dev Portal. They cannot delete the Dev Portal.	Portal Admin for a specific Dev Portal Application Auth Strategy Viewer for a specific auth strategy API Viewer for APIs they can approve access to (optional) API Publisher for specific APIs
API Owner	An API Owner has full access to define, configure, and publish an API to Dev Portal(s) and approve registrations for the API.	Application Auth Strategy Viewer for a specific auth strategy API Admin for specific APIs API Publisher for specific APIs API Approver for specific APIs Portal Viewer {portalId} (for Dev Portals they can publish or approve registrations in)
API Maintainer	An API Maintainer has full access to define, configure, and publish an API to Dev Portal(s) and approve registrations for the API. They cannot delete the API.	Application Auth Strategy Viewer for a specific auth strategy API Maintainer for specific APIs API Publisher for specific APIs API Approver for specific APIs Portal Viewer for a specific Dev Portal
Portal Content Editor	The Portal Content Editor can create, update, and delete pages and other content in a Dev Portal.	Portal Content Editor for a specific Dev Portal

Roles

Roles predefine access to a particular resource, or instances of a particular resource type (for example, Catalog API roles can be scoped to a particular API or all APIs while Control Plane roles can be scoped to a particular Control Plane or all Control Planes).

You can manage a user’s roles by navigating to Organization > Users in Konnect and clicking the Role Assignments tab for a user.

Predefined roles

Konnect provides the following predefined roles.

Note: To publish API products to a classic Dev Portal, you need at least a Viewer role for Dev Portal in addition to the API Products Publisher role.

Application auth strategies

The following table describes the predefined roles for application auth strategies:

Role	Description	CRUD permissions
`Creator`	Create new app auth strategies.	Create auth strategies. Read and list auth strategies.
`Maintainer`	Edit one or all app auth strategies.	Edit, delete, read, and list auth strategies.
`Viewer`	Read-only access to one or all app auth strategies.	Read and list auth strategies.

Auth servers

The following table describes the predefined roles for Kong Identity authorization servers:

Role	Description	CRUD permissions
`Admin`	Access to all read and write permissions related to an Authorization Server.	Create, edit, delete, read, and list auth servers.
`Viewer`	Access to all read permissions related to an Authorization Server.	Read and list auth servers.

APIs

The following table describes the predefined roles for Catalog APIs. Read, edit, and delete access is granted per-API. Only the create and list permissions are granted at the org level.

Role	Description	CRUD permissions
`Creator`	Access to create new API in Konnect. The creator becomes an admin of the API they create.	Create and list APIs.
`Admin`	Admin of an existing API, providing ability to read and edit configuration, view API analytics, and delete the API.	Read, edit, delete, and list APIs.
`Maintainer`	Access to read and edit configuration of an API and view analytics of an API.	Read, edit, and list APIs.
`Viewer`	Read-only access to an API configuration and analytics.	Read and list APIs.
`Publisher`	Access to publish an API to visible portals.	Read, list, and publish APIs.
`Registration Approver`	Access to approve an API registration request.	Read, list, and grant access to APIs.

Audit logs

The following table describes the predefined roles for audit logs:

Role	Description
`Admin`	This role grants full write access to the Audit log configuration.

Catalog

The following table describes the predefined roles for Catalog:

Role	Description	CRUD permissions
`Discovery Admin`	Can read and create discovery ingestion jobs and fully manage suggestion rules, suggested actions and resources.	Read and list integration instances. List integrations. Read and list integration auth credentials. Create and read discovery ingestion jobs. List resource actions. Read, list, create, edit, delete and test discovery suggestion rules. Read, list and edit discovery suggested actions. Read, list, create, edit and ingest resources.
`Discovery Viewer`	Access to read-only permissions for discovery.	Read and list integration instances. List integrations. Read and list integration auth credentials. Read and create discovery ingestion jobs. List resource actions. Read and list discovery suggestion rules. Read and list discovery suggested actions. Read and list resources.
`Integration Admin`	Can view and edit all integrations (install/authorize).	Read, list, create, edit, and delete integrations. Read, list, create, and delete auth credentials.
`Integration Viewer`	Access to read-only permissions to integrations.	Read and list integrations. Read and list integration auth credentials.
`Scorecard Viewer`	Access read-only permissions related to Scorecards.	Read and list integrations. Read and list integration auth credentials. List criteria templates. Read and list scorecards.
`Scorecard Admin`	Can view and edit a select list of Catalog services, map resources to those services, manage all resources, and has read-only access to all integrations and integration instances.	Read and list integrations. Read and list integration auth credentials. List scorecard and criteria templates. List, read, create, edit, and delete scorecards.
`Service Admin`	Can view and edit a select list of services, map resources to those services, and manage all resources and discovery rules.	Read, edit, delete, and list Catalog services. Read and list integrations. Read and list integration auth credentials. Create, edit, read, delete, and list documents. Create, edit, read, delete, list, and preview API specs. List and read events. Create, edit, read, delete, and list resources. List and read scorecards. List criteria templates.
`Service Creator`	Can create new Catalog services, becomes the Service Admin for any service they create, and can view and edit all resources. Includes read-only access to all integrations and integration instances. This role does not grant access to existing services or their configurations. See the `Service Admin` role. This role does not grant write access to integration instances. See the `Integration Admin` role.	Create and list Catalog services. Read and list integrations. Read and list integration auth credentials. Edit, read, and list resources. List and read scorecards. List criteria templates.
`Service Viewer`	Can view a select list of services and all resources and discovery rules.	Read and list Catalog services. Read and list integrations. Read and list integration auth credentials. Read and list documents. Read and list API specs. Read and list events. Create, edit, read, delete, and list resources. List and read scorecards. List criteria templates.

Control planes

The following table describes the predefined roles for control planes:

Role	Description	CRUD permissions
`Admin`	This role grants full write access to all entities within a control plane.	Read, list, edit, and delete control planes. Create, read, list, edit, and delete Gateway entity configurations within control planes.
`Certificate Admin`	This role grants full write access to administer certificates.	List and read control planes. Create, read, edit, delete, and list certificates. Create, read, edit, delete, and list CA certificates.
`Cloud Gateway Cluster Admin`	Access to all read and write permissions related to cloud-gateways configurations and custom domains.	Create, read, list, and delete Cloud Gateway configurations. Create, read, list, and delete custom domains.
`Cloud Gateway Cluster Viewer`	Access to read-only permissions to cloud-gateways configurations and custom domains.	Read and list Cloud Gateway configurations. Read and list custom domains.
`Consumer Admin`	This role grants full write access to administer consumers.	List and read control planes. Create, read, edit, delete, and list Consumers. Read and list Partials.
`Creator`	Creates a new Control Plane in an organization. The creator becomes the owner of the Control Plane they create.	Create and list control planes. When creating a control plane, grants the Admin role on newly created Gateway control planes.
`Debug Session Creator`	This role grants access to create debug sessions. This role also grants read-only access to all entities within a control plane.	Create, read, list and delete debug sessions. Read and list control planes and all configurations within them.
`Deployer`	This role grants full write access to administer services, routes and plugins necessary to deploy services in Service Catalog.	List and read control planes. Create, read, edit, delete, and list plugins and custom plugins. Create, read, edit, delete, and list Routes.
`Event Gateways Creator`	Access to create a new event gateway in Event Gateway Manager. The creator becomes the owner of the event gateway they create, gaining admin access to the new event gateway. This role does not grant access to existing event gateways, their runtime instances, or their configurations.	Create and list Event Gateways. When creating an Event Gateway, grants the Event Gateways Admin role on newly created Event Gateways.
`Event Gateways Admin`	Owner of an existing event gateway. The owners have all write access related to an event gateway, the gateway’s runtime instances, and its configuration.	Edit, read, list, and delete existing Event Gateway control planes. Create, edit, read, list, and delete Event Gateway entity configurations within control planes.
`Event Gateways Viewer`	Read-only access to all the configurations of an event gateway and its runtime instances.	Read and list Event Gateways and all of their configurations.
`Gateway Service Admin`	This role grants full write access to administer gateway services.	List and read control planes. Create, read, edit, delete, and list plugins and custom plugins. Create, read, edit, delete, and list Partials.
`Key Admin`	Full write access to administer keys.	List and read control planes. Create, read, edit, delete, and list keys.
`Plugin Admin`	This role grants full write access to administer plugins.	List and read control planes. Create, read, edit, delete, and list plugins and custom plugins. Create, read, edit, delete, and list Partials.
`Route Admin`	This role grants full write access to administer routes.	List and read control planes. Create, read, edit, delete, and list plugins and custom plugins. Create, read, edit, delete, and list Routes. Create, read, edit, delete, and list Partials.
`Serverless Cluster Admin`	Access to all read and write permissions related to serverless cloud-gateways configurations.	Create, read, list, and delete Serverless Gateway configurations.
`Serverless Cluster Viewer`	Access to read-only permissions related to serverless cloud-gateways configurations.	Read and list Serverless Gateway configurations.
`SNI Admin`	This role grants full write access to administer SNIs.	List and read control planes. List and read certificates. Create, read, edit, delete, and list SNIs.
`Upstream Admin`	This role grants full write access to administer upstreams.	List and read control planes. Create, read, edit, delete, and list Upstreams. Create, read, edit, delete, and list Targets. List certificates.
`Vault Admin`	Full write access to administer Vaults.	List and read control planes. Create, read, edit, delete, and list Vaults. Create, read, edit, delete, and list config stores.
`Viewer`	This role grants read only access to all entities within a control plane.	Read and list control planes and all configurations within them.

Dashboards

The following table describes the predefined roles for Observability dashboards:

Role	Description	CRUD permissions
`Admin`	Allows users to edit, delete, and share a Dashboard in Konnect Analytics.	List, read, edit, and delete dashboards.
`Creator`	Allows users to create a new Dashboard in Konnect Analytics.	Create and list dashboards.
`Editor`	Allows users to edit a Dashboard in Konnect Analytics.	List, edit, and read dashboards.
`Viewer`	Allows users to view a Dashboard in Konnect Analytics.	List and read dashboards.

DCR

The following table describes the predefined roles for dynamic client registration (DCR):

Role	Description	CRUD permissions
`Creator`	Create new DCR providers.	Create and read DCR providers
`Maintainer`	Edit one or all DCR providers.	Edit, delete, and read DCR providers
`Viewer`	Read-only access to one or all DCR providers.	Read DCR providers

Identity

The following table describes the predefined roles for identity:

Role	Description	CRUD permissions
`Admin`	This role grants full write access to the Identity configuration.	Read, list, and update organization configurations Read, list, and update IdP configurations Create, update, and delete users Read, list, and revoke user tokens (PATs) Create, update, and delete teams Create, update, and delete system accounts Create, read, list, update, and delete system account tokens Read, list, update roles for users, teams, and system accounts

MCP registry

The following table describes the predefined roles for MCP registries:

Role	Description	CRUD permissions
`Admin`	Admin of an existing MCP registry, providing ability to read and edit configuration, view MCP registry analytics, and delete the MCP registry.	List, read, edit, and delete MCP registries. Create, edit, list, read, and delete MCP server versions.
`Creator`	Access to create new registries and server versions in Konnect. The creator becomes an admin of the registry they create.	Create and list MCP registries. Create, edit, list, and read MCP server versions.
`Publisher`	Access to publish MCP server versions to a registry.	List and read MCP registries. Create, edit, list, and read MCP server versions.
`Viewer`	Read-only access to an MCP registry configuration.	List and read MCP registries. List and read MCP server versions.

Mesh control planes

The following table describes the predefined roles for Kong Mesh:

Role	Description	CRUD permissions
`Admin`	This role grants full write access to the related to Mesh control planes.	Create, list, read, update, delete, and connect zones for Mesh control planes.
`Connector`	This role grants a mesh zone to connect to the mesh control plane in Konnect.	Connect zones.
`Creator`	This role grants access to create new Mesh control planes.	List and create Mesh control planes.
`Viewer`	This role grants access to read-only permissions to Mesh control planes.	Read and list Mesh control planes.

Metering & Billing

The following table describes the predefined roles for Metering & Billing:

Role	Description	CRUD permissions
`Ingest`	Ingests events only (intended only for machines).	Ingest events.
`Admin`	Can read and write every resource. Includes billing apps, billing profiles, and notifications.	Create, list, read, query, update, and delete every resource.
`Metering Admin`	Can write any metering resources (includes meters and events).	List, read, and query meters. List events.
`Metering Viewer`	Can read any metering resources (includes meters and events).	Create, list, read, query, update, and delete meters. List and ingest events.
`Product Catalog Admin`	Can write any Product Catalog resources (includes plans, features, and rate cards).	Create, list, read, and delete features. Create, list, read, update, delete, publish, and archive plans. Create, list, read, update, delete, publish, and archive add-ons.
`Product Catalog Viewer`	Can read any Product Catalog resources (includes plans, features, and rate cards).	List and read features. List and read plans. List and read add-ons.
`Billing Admin`	Can read and write customer, subscription, entitlement, and invoice resources.	Create, list, read, update, delete, and migrate subscriptions and their add-ons. Create, list, read, update, and delete customers. Create, list, read, update, delete, and trigger events on invoices. Create, list, read, update, and delete billing profiles. Create, list, read, update, and delete entitlements.
`Billing Viewer`	Can read customer, subscription, entitlement, and invoice resources.	Read and list subscriptions and their add-ons. Read and list customers. Read and list and trigger events on invoices. Read and list billing profiles. Read and list entitlements.

Networks

The following table describes the predefined roles for Dedicated Cloud Gateway networks:

Role	Description	CRUD permissions
`Network Admin`	Access to all read and write permissions related to a network.	Read and list provider accounts. Read, list, edit, and delete networks. Attach transit gateways and data plane groups for networks. Create, edit, read, delete, and list transit gateways. Create, edit, read, delete, and list private DNS configs.
`Network Creator`	Access to creating networks.	Deploy, read, and list provider accounts. Create networks.
`Network Viewer`	Access to read-only permissions to networks.	Read and list provider accounts. Read, list, and connect data plane groups for networks. Read and list transit gateways.

Portals

The following table describes the predefined roles for Dev Portal:

Role	Description	CRUD permissions
`Admin`	Owner of an existing Dev Portal instance. The owner has full write access related to any developers and applications in the organization. This role has the ability to approve, revoke, and delete application registrations.	Read, edit, list and delete Dev Portals List, create, read, edit, and delete applications List, create, read, edit, and delete developers Create, edit, delete, read, and list teams Add and remove a role to teams, list roles in teams Add, remove, and list developers from teams Create, edit, delete, read, and list API versions Publish to Dev Portal Grant API access
`Appearance Maintainer`	Access the Portal instance and edit its appearance.	Read and list Dev Portals
`Creator`	Create new Portals.	Create, read, and list Dev Portals
`Maintainer`	Edit, view, and delete Dev Portal applications, and view developers. This role has the ability to approve, revoke, and delete application registrations.	Read and list Dev Portals List, read, edit, and delete applications List and read developers Create, edit, delete, read, and list API versions Edit Dev Portal appearance Publish to Dev Portal Grant API access
`Product Publisher`	Manage publishing products to a Dev Portal.	Read and list Dev Portals Create, edit, delete, read, and list API versions Publish to Dev Portal
`Viewer`	Read-only access to Dev Portal developers and applications.	Read and list Dev Portals List and read applications List and read developers List and read API versions
`Content Editor`	Edits Dev Portal pages, snippets, and customization.	Read and list Dev Portals Edit pages Edit snippets Edit customization
`API Registration Approver`	Can approve Dev Portal application registrations. This role also requires the Dev Portal Viewer role to view the application registrations within a Dev Portal.	Read and list APIs (permission is granted per API) Grant API access

Reports

The following table describes the predefined roles for Observability reports:

Role	Description	CRUD permissions
`Admin`	Allows users to edit and delete a Report in Konnect Analytics.	List, read, edit, and delete reports.
`Creator`	Allows users to create a new Report in Konnect Analytics.	Create and list reports.
`Editor`	Allows users to edit a Report in Konnect Analytics.	List, edit, and read reports.
`Viewer`	Allows users to view a Report in Konnect Analytics.	List and read reports.

API Products (Classic)

Important: API Product roles only apply to classic Dev Portals (v2). We recommend migrating to the new Dev Portal (v3) and using Catalog API roles instead.

The following table describes the predefined roles for API Products:

Role	Description
`Admin`	This role grants full write access to an API product and its versions.
`Application Registration`	This role grants permission to enable and disable application registration on an API product.
`Creator`	This access is required to create API products. This access is not for creating sub-entities such as versions, API specs, etc.
`Deployer`	This role grants permission to deploy and remove an API product from a control plane.
`Maintainer`	This role grants all write permission to manage an API product and to administer plugins.
`Plugins Admin`	This role grants full write permission to administer plugins.
`Publisher`	This role grants permission to publish an API product to one or more portals.
`Viewer`	Viewer has read-only access to an API product and its sub-entities.

FAQs

What is required to manage users, teams, and roles in Konnect?

You must be part of the Organization Admin team to manage users, teams, and roles.

What is a team in Konnect?

A team is a group of users with access to the same roles. Teams allow assigning access to Konnect resources based on roles.

What is a role in Konnect?

A role defines predefined access to a particular resource or instances of a resource type. For example, API product roles can be scoped to a specific API product or all API products, while Control Plane roles can be scoped to a specific Control Plane or all Control Planes.

Can predefined teams in Konnect be modified or deleted?

No, predefined teams have fixed role sets that cannot be modified or deleted.

I have the API Products Publisher role for the API product I want to publish, why don’t I see any classic Dev Portals that I can publish to?

To publish API products to a classic Dev Portal, you need at least a Viewer role for Dev Portal in addition to the API Products Publisher role.

My team has a Dev Portal, why can’t I see APIs?

You need additional permissions to see APIs. See the Catalog APIs roles for more information.

Why can’t my users create dashboards even though they have the Dashboard Creator, Admin, or Editor role?

To access the underlying data of the dashboard, you’ll also need to assign users with Dashboard creator, Dashboard admin, or Dashboard editor roles to the Analytics Viewer pre-built team.

Note: We are actively working on future improvements that will remove the requirement for most users to be assigned to pre-built teams to access analytics data. Look for these enhancements in upcoming releases.