Workspaces and Access Controls

Assigning Roles

The WarpStream web console supports role-based access control. When a user signs up for a wholly new WarpStream account, they are assigned a default role called Admin. This grants them read and write access to any resource in the account. A second Read-only role is created by default, which grants read access to all resources and which initially isn't assigned to any users.

Any user with unlimited read and write access can invite others to their WarpStream account by clicking the "Invite Teammate" button on the Team page. The invitation form includes a dropdown to select which role the teammate should be assigned to when they accept the invitation. Users with unlimited read and write access can also edit existing teammates' roles from the Team page. They can also create new roles and edit existing roles by clicking the "Manage User Roles" button.

Roles and Workspaces

A role specifies the level of access users have in each workspace. A workspace is a logical grouping of resources such as virtual clusters, application keys, and schema registries. Users can switch between workspaces via the dropdown menu on the top left of the console. Only the workspaces that their assigned roles grant access to appear in this menu. Users with unlimited read and write access can manage workspaces by clicking on the dropdown menu's Manage link. They can also manage their account keys. See Secrets Overview for more on account keys. A workspace can only be deleted once all its virtual clusters and schema registries have been deleted.

Currently, a role can grant either admin or read_only access to each workspace. For example, it would be typical for a WarpStream account to contain one workspace called staging and another called production. A role called production_admin might grant admin access to the production workspace. Another role called staging_admin might grant admin access to the staging workspace and read_only access to the production workspace. Users assigned to staging_admin would be able to create and delete resources in the staging workspace, but only to view existing resources in the production workspace. A user assigned to both roles would have admin access in both workspaces because grants are cumulative.