Set up users
Authentication
Calico Cloud supports Google Social login and username / password for user authentication.
Roles and authorization
Users can have one or more of the following predefined user roles to access features in the web console. The default permissions align with typical needs for each role.
Owner
The Owner role has the highest level of access and typically corresponds to the account creator.
The Owner role cannot be assigned to new users. The only Owner is the user who created the Calico Cloud account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Manage Team | view, edit |
| Usage Metrics | view |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Dashboards | view, edit |
Admin
The Admin role provides broad administrative access for day-to-day configuration and management of Calico Cloud.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit, delete |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Dashboards | view, edit |
User Admin
The User Admin role has the ability to manage team members and their assigned roles.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Dashboards | - |
Cluster Connection Admin
The Cluster Connection Admin role has administrative capabilities of managed clusters.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | view, edit, delete |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Dashboards | - |
Viewer
The Viewer role provides read-only access to most operational and configuration data within Calico Cloud. Ideal for users who need visibility without making changes.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | view |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view |
| Web Application Firewall | view |
| Dashboards | view |
DevOps
The DevOps role is designed for users responsible for application deployment, CI/CD integration, and managing network policies and configurations relevant to their applications.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view, edit |
| Compliance Reports | - |
| Timeline | view |
| Alerts | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view |
| Dashboards | view |
Security
The Security role focuses on security posture management, including policy definition, threat monitoring, and incident response.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | view |
| Policies | view, edit |
| Nodes and Endpoints | view |
| Network Sets | view, edit |
| Managed Clusters | view |
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
| Dashboards | view |
Compliance
The Compliance role provides focused access to compliance reporting and related policy information, suitable for auditors or compliance officers.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | view |
| Nodes and Endpoints | view |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | view |
| Timeline | - |
| Alerts | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Dashboards | - |
Usage Metrics
This role grants specific access to view usage metrics for the Calico Cloud account.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Manage Team | - |
| Usage Metrics | view |
| Threat Feeds | - |
| Web Application Firewall | - |
| Dashboards | - |
Dashboards Admin
This role grants administrative permissions specifically for creating, managing, and sharing custom dashboards within Calico Cloud.
| Feature | Permission Level |
|---|---|
| Service Graph and Flow Visualizer | - |
| Policies | - |
| Nodes and Endpoints | - |
| Network Sets | - |
| Managed Clusters | - |
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
| Dashboards | view, edit |
Add your own identity provider
Calico Cloud works with any identity provider that supports OpenID Connect. For example, OKTA, Google, and Azure AD.
To add an identity provider, open a Support ticket.
Azure AD requirements
To add Azure AD as your identity provider, create an Active Directory "App Registration" with a Redirect URI of type "Web" set to https://auth.calicocloud.io/login/callback.
Enable "ID Token" for implicit flows.
Add the following Microsoft Graph API delegated permissions:
- User.Read
- OpenId permissions:
- openid
- profile