Upbound RBAC

This guide provides an overview of role-based access control (RBAC) in Upbound. RBAC lets you control access to your Upbound resources and control planes based on the roles of individual users in your organization.

Tip
To learn how to manage access to resources in a control plane, read the documentation on authorizing actions on resources in control planes

Enable Upbound RBAC

Note
This section only applies to administrators who’ve deployed a self-hosted Space.

For administrators who have deployed self-hosted Spaces, you can enable Upbound RBAC at install or upgrade time. Configure the feature in the Spaces helm chart:

--set "features.alpha.upboundRBAC.enabled=true"

Upbound RBAC is enabled by default in Upbound Cloud Spaces.

Authorize access to control plane group resources

Roles

Upbound RBAC roles define sets of permissions with three built-in roles at the group level:

  • Admin
  • Editor
  • Viewer

These roles apply at three levels:

  • Organization
  • Control Plane Groups
  • Control Planes

Upbound RBAC roles have either read-only or read/write access for features. Review the table for permissions for each role:

A table with RBAC permissions

View group role permissions

  1. On the Control Planes screen in the Console, select which Space and group context you wish to be in.
  2. Select the Settings pane of the control plane group.
  3. In the Team access card of the settings page, view the teams and their permissions for this group.

Use the up CLI to set your kubecontext to the desired Space, then run the following:

kubectl get objectrolebindings    
NAME            AGE
default-zcntk   14s

Each role permission granted to a team gets represented with an objectrolebinding Space API resource.

Assign group role permissions

  1. On the Control Planes screen in the Console, select which Space and group context you wish to be in.
  2. Select the Settings pane of the control plane group view.
  3. Select Add Teams
  4. Select which role you wish to grant.
  5. Select which teams you wish to apply the role to, then select the Add Selected to Group button.

Use the up CLI to set your kubecontext to the desired Space, then create an objectrolebinding. The example below gives control plane group editor access to the UpboundTeam with the UUID of 918a6338-abbe-420d-81cf-9e87642a87c6:

apiVersion: authorization.spaces.upbound.io/v1alpha1
kind: ObjectRoleBinding
metadata:
  name: my-binding
  namespace: ctp-group-1
spec:
  object:
    apiGroup: core
    resource: namespaces
    name: ctp-group-1
  subjects:
  - kind: UpboundTeam
    name: 918a6338-abbe-420d-81cf-9e87642a87c6
    role: editor

Delete group role permissions

  1. On the Control Planes screen in the Console, select which Space and group context you wish to be in.
  2. Select the Settings pane of the control plane group view.
  3. Select the settings button on the right side the team you wish to delete.
  4. Select Remove

Use the up CLI to set your kubecontext to the desired Space, then delete the desired objectrolebinding. The example below deletes the permission created in the previous section:

kubectl delete objectrolebinding default-zcntk                        
objectrolebinding.authorization.spaces.upbound.io "default-zcntk" deleted
Upbound
Crafted with love from our globally distributed team.
© 2025 Upbound, Inc.
Product
Upbound
Universal Crossplane
Marketplace
Request Demo
Partner Program
Learn
Documentation
FAQs
Company
About Us
Careers
Blog
Contact Us
More
Terms & Conditions
Privacy Policy