Home / Konnect
Edit
Report

Konnect teams and roles

Uses: Konnect Platform
Related Documentation
Konnect Platform Documentation
Incompatible with
on-prem
Related Resources
Konnect account, pricing, and organization deactivation

To help secure and govern your environment, Konnect provides the ability to manage authorization with teams and roles. You can use Konnect’s predefined teams for a standard set of roles, or create custom teams with any roles you choose. Invite users and add them to these teams to manage user access.

You must either be a member of the Organization Admin team, or be assigned the Identity Admin role, to manage users, teams, and roles.

Note: If the Okta integration is enabled, Konnect users and teams become read-only. An organization admin can view all registered users in Konnect, but cannot edit their team membership from the Konnect side. To manage automatically-created users, adjust user permissions through Okta, or adjust team mapping.

Access precedence

Users can be part of any number of teams, and the roles gained from the teams are additive. For example, if you add a user to both the Service Developer and Portal Viewer teams, the user can create and manage Services through API Products and register applications through the Dev Portal.

If two roles provide access to the same entity, the role with more access takes effect. For example, if you have the Service Admin and Service Deployer roles on the same Service, the Service Admin role takes precedence.

Geographic region assignment

Teams and roles can be assigned to a specific geographic region in Konnect. Those teams and roles only access Konnect objects, such as Services, that are also located in the same geo they are assigned to.

Teams

A team is a group of users with access to the same roles. Teams are useful for assigning access by functionality, where they can provide granular access to any group of Konnect resources based on roles.

You can create and manage teams by navigating to Organization > Teams in Konnect.

Predefined teams

All new and existing organizations in Konnect have predefined default teams. The default teams can’t be modified or deleted.

Team

Description
Analytics Admin Users can fully manage all Analytics content, which includes creating, editing, and deleting reports, as well as viewing the analytics summary.
Analytics Viewer Users can view the Analytics summary and report data.
Organization Admin Users can fully manage all entities and configuration in the organization. In addition to users granted the Organization Admin role, each organization also has one Owner, who always has this role and is the only user who can delete the organization.
Organization Admin (Read Only) Users can view all entities and configuration in the organization.
Portal Admin Users can fully manage all Dev Portal content, which includes Konnect service pages and supporting content, as well as Dev Portal configuration and Service connections.
To manage app registration requests, members must also be assigned to the Admin or Maintainer roles for the corresponding Services.
API Product Admin Users can create and manage API products, including publishing API product versions to Dev Portal and enabling application registration.

API Product roles only apply to classic Dev Portals (v2). We recommend migrating to the new Dev Portal (v3) and using Catalog API roles instead.
API Product Developer Users can create and manage versions of API products.

API Product roles only apply to classic Dev Portals (v2). We recommend migrating to the new Dev Portal (v3) and using Catalog API roles instead.
Control Plane Admin Users can create and manage Control Planes.

Create a custom team

Custom teams let organizations manage user access by grouping roles and permissions.

Any user added to a custom team automatically inherits all roles assigned to that team.

To create and configure a custom team:

  1. Create the team
    Send a POST request to the /teams endpoint with the name and description in the request body. Save the team_id from the response.

  2. Assign roles to the team
    Send a POST request to the /assigned-roles endpoint to grant the team specific roles.

  3. Add users to the team
    To give a user access to the team’s roles, you must assign them to the team.
    Send a POST request to the /users endpoint. Users can belong to multiple teams and inherit roles from each.

  4. (Optional) Enable group-to-team mappings
    If single sign-on (SSO) is enabled, you can configure Konnect to automatically map users to teams based on group claims from your IdP. To do this, send a PUT request to the /team-mappings endpoint with team_ids in the request body.

Dev Portal custom teams

You can use custom Konnect to create Dev Portal teams for common Dev Portal personas. The following table details the Dev Portal roles you can assign to each custom team:

Persona

Custom team description

Dev Portal roles
API Platform Owner An API Platform Owner has full access to create, configure, and delete resources related to APIs, Portals, and Applications.
  • Portal Creator
  • Portal Admin
  • Application Auth Strategy Creator
  • Application Auth Strategy Maintainer
  • DCR Provider Creator
  • DCR Provider Maintainer
  • API Creator
  • API Admin
  • API Publisher
API Security Owner An API Security Owner can create, update, and delete auth strategies used between APIs and Applications.
  • Application Auth Strategy Creator
  • Application Auth Strategy Maintainer
  • DCR Provider Creator
  • DCR Provider Maintainer
Portal Owner A Portal Owner has full access to configure a Dev Portal and manage applications in a Dev Portal.
  • Portal Admin for a specific Dev Portal
  • Application Auth Strategy Viewer for a specific auth strategy
  • API Viewer for APIs they can approve access to
  • (optional) API Publisher for specific APIs
Portal Maintainer A Portal Maintainer has full access to configure a Dev Portal and manage applications in a Dev Portal. They cannot delete the Dev Portal.
  • Portal Admin for a specific Dev Portal
  • Application Auth Strategy Viewer for a specific auth strategy
  • API Viewer for APIs they can approve access to
  • (optional) API Publisher for specific APIs
API Owner An API Owner has full access to define, configure, and publish an API to Dev Portal(s) and approve registrations for the API.
  • Application Auth Strategy Viewer for a specific auth strategy
  • API Admin for specific APIs
  • API Publisher for specific APIs
  • API Approver for specific APIs
  • Portal Viewer {portalId} (for Dev Portals they can publish or approve registrations in)
API Maintainer An API Maintainer has full access to define, configure, and publish an API to Dev Portal(s) and approve registrations for the API. They cannot delete the API.
  • Application Auth Strategy Viewer for a specific auth strategy
  • API Maintainer for specific APIs
  • API Publisher for specific APIs
  • API Approver for specific APIs
  • Portal Viewer for a specific Dev Portal
Portal Content Editor The Portal Content Editor can create, update, and delete pages and other content in a Dev Portal. Portal Content Editor for a specific Dev Portal

Roles

Roles predefine access to a particular resource, or instances of a particular resource type (for example, Catalog API roles can be scoped to a particular API or all APIs while Control Plane roles can be scoped to a particular Control Plane or all Control Planes).

You can manage a user’s roles by navigating to Organization > Users in Konnect and clicking the Role Assignments tab for a user.

Predefined roles

Konnect provides the following predefined roles.

Analytics

The following describes the predefined roles for Analytics:

Role

Description
Dashboard viewer Users can view the Analytics summary and report data.
- Cannot edit dashboards
- Can apply temporary filters during a session
- Can only see dashboards they are explicitly granted access to

API Products

Important: API Product roles only apply to classic Dev Portals (v2). We recommend migrating to the new Dev Portal (v3) and using Catalog API roles instead.

The following describes the predefined roles for API Products:

Role Description
Admin

This role grants full write access to an API product and its versions.
Application Registration

This role grants permission to enable and disable application registration on an API product.
Creator

This access is required to create API products. This access is not for creating sub-entities such as versions, API specs, etc.
Deployer

This role grants permission to deploy and remove an API product from a control plane.
Maintainer

This role grants all write permission to manage an API product and to administer plugins.
Plugins Admin

This role grants full write permission to administer plugins.
Publisher

This role grants permission to publish an API product to one or more portals.
Viewer

Viewer has read-only access to an API product and its sub-entities.

Note: To publish API products to a classic Dev Portal, you need at least a Viewer role for Dev Portal in addition to the API Products Publisher role.

Control Planes

The following describes the predefined roles for Control Planes:

Role Description
Admin

This role grants full write access to all entities within a control plane.
Certificate Admin

This role grants full write access to administer certificates.
Consumer Admin

This role grants full write access to administer consumers.
Creator

Creates a new Control Plane in an organization. The creator becomes the owner of the Control Plane they create.
Deployer

This role grants full write access to administer services, routes and plugins necessary to deploy services in Service Hub.
Gateway Service Admin

This role grants full write access to administer gateway services.
Plugin Admin

This role grants full write access to administer plugins.
Route Admin

This role grants full write access to administer routes.
SNI Admin

This role grants full write access to administer SNIs.
Upstream Admin

This role grants full write access to administer upstreams.
Viewer

This role grants read only access to all entities within a control plane.

Audit logs

The following describes the predefined roles for audit logs:

Role Description
Admin

This role grants full write access to the Audit log configuration.

Identity

The following describes the predefined roles for identity:

Role Description
Admin

This role grants full write access to the Identity configuration.

Mesh control planes

The following describes the predefined roles for Mesh:

Role Description
Admin

This role grants full write access to the related to Mesh control planes.
Connector

This role grants a mesh zone to connect to the mesh control plane in Konnect.
Creator

This role grants access to create new Mesh control planes.
Viewer

This role grants access to read-only permissions to Mesh control planes.

Metering & Billing

The following describes the predefined roles for Metering & Billing:

Role

Description
Ingest Ingests events only (intended only for machines).
Admin Can read and write every resource. Includes billing apps, billing profiles, and notifications.
Viewer Can read every resource. Includes billing apps, billing profiles, and notifications.
Metering Admin Can write any metering resources (includes meters and events).
Metering Viewer Can read any metering resources (includes meters and events).
Product Catalog Admin Can write any Product Catalog resources (includes plans, features, and rate cards).
Product Catalog Viewer Can read any Product Catalog resources (includes plans, features, and rate cards).
Billing Admin Can read and write customer, subscription, entitlement, and invoice resources.
Billing Viewer Can read customer, subscription, entitlement, and invoice resources.

Networks

The following describes the predefined roles for networks:

Role

Description
Network Admin Access to all read and write permissions related to a network.
Network Creator Access to creating networks.
Network Viewer Access to read-only permissions to networks.

Catalog

The following describes the predefined roles for Catalog:

Role

Description
Integration Admin Can view and edit all integrations (install/authorize).
Integration Viewer Access to read-only permissions to integrations.
Scorecard Viewer Access read-only permissions related to Scorecards.
Scorecard Admin Can view and edit a select list of Catalog services, map resources to those services, manage all resources, and has read-only access to all integrations and integration instances.
Service Admin Can view and edit a select list of services, map resources to those services, and manage all resources and discovery rules.
Service Creator Can create new Catalog services, becomes the Service Admin for any service they create, and can view and edit all resources. Includes read-only access to all integrations and integration instances.

This role does not grant access to existing services or their configurations. See the Service Admin role.

This role does not grant write access to integration instances. See the Integration Admin role.
Service Viewer Can view a select list of services and all resources and discovery rules.

Catalog APIs

The following describes the predefined roles for Catalog APIs. Read, edit, and delete access is granted per-API. Only the create and list permissions are granted at the org level.

Role

Description

CRUD permissions
API Creator Creates APIs at the org level.
  • Create APIs
API Admin Controls APIs on a per-API level and can list APIs in an org.
  • Read, edit, delete, and list APIs
API Maintainer Maintains APIs on a per-API level.
  • Read, edit, and list APIs
API Viewer Reads APIs on a per-API level and can list APIs in an org.
  • Read and list APIs
API Publisher Views APIs and publishes APIs on a per-API level.
  • Read, list, and publish APIs

Dev Portal

The following describes the predefined roles for Dev Portal:

Role

Description

CRUD permissions
Admin Owner of an existing Dev Portal instance. The owner has full write access related to any developers and applications in the organization.
  • Read, edit, list and delete Dev Portals
  • List, create, read, edit, and delete applications
  • List, create, read, edit, and delete developers
  • Create, edit, delete, read, and list teams
  • Add and remove a role to teams, list roles in teams
  • Add, remove, and list developers from teams
  • Create, edit, delete, read, and list API versions
  • Publish to Dev Portal
Appearance Maintainer Access the Portal instance and edit its appearance.
  • Read and list Dev Portals
Creator Create new Portals.
  • Create, read, and list Dev Portals
Maintainer Edit, view, and delete Dev Portal applications, and view developers.
  • Read and list Dev Portals
  • List, read, edit, and delete applications
  • List and read developers
  • Create, edit, delete, read, and list API versions
  • Edit Dev Portal appearance
  • Publish to Dev Portal
Product Publisher Manage publishing products to a Dev Portal.
  • Read and list Dev Portals
  • Create, edit, delete, read, and list API versions
  • Publish to Dev Portal
Viewer Read-only access to Dev Portal developers and applications.
  • Read and list Dev Portals
  • List and read applications
  • List and read developers
  • List and read API versions
Content Editor Edits Dev Portal pages, snippets, and customization.
  • Read and list Dev Portals
  • Edit pages
  • Edit snippets
  • Edit customization
API Registration Approver Can approve Dev Portal application registrations.

This role also requires the Dev Portal Viewer role to list APIs.
  • Read and list APIs (permission is granted per API)
  • Grant API access

Application auth strategies

The following describes the predefined roles for application auth strategies:

Role

Description

CRUD permissions
Auth strategy creator Create new app auth strategies.
  • Create auth strategy
  • Read and list auth strategy
Auth strategy maintainer Edit one or all app auth strategies.
  • Edit, delete, read, and list auth strategies
Auth strategy viewer Read-only access to one or all app auth strategies.
  • Read and list auth strategies

DCR

The following describes the predefined roles for dynamic client registration (DCR):

Role

Description

CRUD permissions
DCR provider creator Create new DCR providers.
  • Create and read DCR providers
DCR provider maintainer Edit one or all DCR providers.
  • Edit, delete, and read DCR providers
DCR provider viewer Read-only access to one or all DCR providers.
  • Read DCR providers

FAQs

What is required to manage users, teams, and roles in Konnect?

You must be part of the Organization Admin team to manage users, teams, and roles.

What is a team in Konnect?

A team is a group of users with access to the same roles. Teams allow assigning access to Konnect resources based on roles.

What is a role in Konnect?

A role defines predefined access to a particular resource or instances of a resource type. For example, API product roles can be scoped to a specific API product or all API products, while Control Plane roles can be scoped to a specific Control Plane or all Control Planes.

Can predefined teams in Konnect be modified or deleted?

No, predefined teams have fixed role sets that cannot be modified or deleted.

I have the API Products Publisher role for the API product I want to publish, why don’t I see any classic Dev Portals that I can publish to?

To publish API products to a classic Dev Portal, you need at least a Viewer role for Dev Portal in addition to the API Products Publisher role.

My team has a Dev Portal, why can’t I see APIs?

You need additional permissions to see APIs. See the Catalog APIs roles for more information.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support