Organisations, spaces and user-roles
In this document, we want to take a look at Cloud Foundry’s project structure with organizations and spaces. When talking about these spaces, it is also important to see which user roles are available at these organization levels and what permissions they have. After reading this document, you will know what organizations and spaces are and which user roles can work with them.
For more detailed information about organizations, spaces, and user roles, see the official Cloud Foundry documentation.
Organizations & spaces
Section titled “Organizations & spaces”An organization—or org for short—and spaces help you map your organizational structure to the Cloud Foundry resources you own.
A STACKIT project can own multiple orgs, and just like with a STACKIT project, you can assign multiple user accounts to own and use the orgs. An organization shares a resource quota plan and all applications, services, and domains created within that organization. An organization can have multiple spaces.
Spaces are the units where you can actually deploy your applications and services. Every application, service, and route is assigned to a space and can be used by other artifacts in that space. Org managers can assign different quotas to spaces within an organization. There are special user roles, such as the space developer, that can only grant access to a specific space within an organization.
When you create a new organization, you are assigned the role of organization manager. During org creation, you can also directly assign spaces within an org, but you can also change this later. You can add additional user accounts to your organization and spaces with various other roles and permissions to work with the resources provided there.
Organizations and spaces are only virtual entities and have no real physical representation. They are encapsulated by role-based access control. This way, you can use orgs and spaces in whatever way best fits your organizational structure, for example:
- The org as a representation of an application, with spaces representing the environments of that application
- The org as an environment of a microservice architecture, with spaces as the individual services
- The org as a team or department, with spaces as the individual products they are working on
- etc.
User roles
Section titled “User roles”User roles are a collection of specific permissions and rights that can be assigned to a user. A user role is (apart from platform administrator accounts) always limited to a specific organization or space. Users can have one or more roles and thus access one or more organizations or spaces.
The following describes the different types of user roles in Cloud Foundry:
- Org Manager: Owner of an organization with permission to add and remove other users and spaces, as well as set quota limits for spaces.
- Org Auditors: Read-only access to user information and information about org quota usage.
- Space Managers: Owner of a space within an organization, can add and remove other users within that space.
- Space Developers: Manage applications, services, and service brokers related to a space.
- Space Auditors: Read-only access to a space.
- Admin: Superclass of several user roles, associated with the platform team to perform operational actions on all orgs and spaces in Cloud Foundry.
You must be an org manager or space manager to assign these user roles to other users. The admin roles are only granted to the Cloud Foundry platform team.
Further information
Section titled “Further information”- The Cloud Foundry documentation on orgs, spaces, roles and permissions
- Abbreviations and vocabulary
- Containers and buildpacks
- Requirements for applications