Roles

Roles define the concrete permissions granted to users, they reference a policy and optionally provide parameters that specify what resources that policy applies to.

A role with the policy pull and the parameters repo: mycustomer, image: * grants the ability to pull any images from the repo mycustomer in your registry
e.g. MY_SUBDOMAIN.ctr.dev/mycustomer/*

Creating a role

Dashboard under Access > Manage roles > Create role.
API with POST /api/v1/iam/{project_id}/roles
Also a guided flow for creating identities with push/pull roles is available on the Registry dashboard page under Pull an image or Push an image.

Listing roles

Dashboard under Access > Manage roles.
API with GET /api/v1/iam/{project_id}/roles

Updating roles

Dashboard under Access > Manage roles > Edit.
API with PATCH /api/v1/iam/{project_id}/roles/{role_name}

Deleting a role

Dashboard under Access > Manage roles > Delete.
API with DELETE /api/v1/iam/{project_id}/roles/{role_name}

Assign role membership

Dashboard under Access > Manage access > [select access] > Assign to user.
API with POST /api/v1/iam/{project_id}/roles/{role_name}/members

Remove role membership

Dashboard under Access > Manage access > [select access] > [click user count] > Revoke role.
API with DELETE /api/v1/iam/{project_id}/roles/{role_name}/members/{identity_id}

List role members

Dashboard under Access > Manage access > [select access] > [click user count].
API with GET /api/v1/iam/{project_id}/roles/{role_name}/members

Searching roles

API with POST /api/v1/iam/{project_id}/search/roles

Searching roles allows you to find all roles that grant policies with parameter values. Results will contain roles that grant at least the configured access. i.e. If you search for pull policy roles with repo: foo it will also return all pull policy roles with repo: * (since that is inclusive of the searched permissions)