Teams and Roles

Many organizations have strict security requirements. For example, organizations need the ability to segregate the duties of an administrator to ensure that a mistake or malicious act by one administrator doesn’t cause an outage.

To help secure and govern your environment, Konnect provides the ability to manage authorization with teams and roles. You can use Konnect’s predefined teams for a standard set of roles, or create custom teams with any roles you choose. Invite users and add them to these teams to manage user access.

Teams and roles

You can find a list of all teams in your organization through Organization > Teams in Konnect.

You must be part of the Organization Admin team to manage users, teams, and roles.

Team: A group of users with access to the same roles. Teams are useful for assigning access by functionality, they can provide granular access to any group of Konnect resources based on roles.
Role: Predefined access to a particular resource, or instances of a particular resource type (for example, API product roles can be scoped to a particular API product or all API products whilst control plane roles can be scoped to a particular control plane or all control planes).

When you create a Konnect account, you are automatically added to the Organization Admin team, which is one of the predefined teams in Konnect. Predefined teams have sets of roles that can’t be modified or deleted. Users assigned to a predefined team also can access all geographic regions in your Konnect instance. You can add users to these teams, or create your own custom teams with any of the supported roles.

Access precedence

Users can be part of any number of teams, and the roles gained from the teams are additive. For example, if you add a user to both the Service Developer and Portal Viewer teams, the user can create and manage services through API Products and register applications through the Dev Portal.

If two roles provide access to the same entity, the role with more access takes effect. For example, if you have the Service Admin and Service Deployer roles on the same service, the Service Admin role takes precedence.

Geographic region assignment

Teams and roles can be assigned to a specific geographic region in Konnect. Those teams and roles only access Konnect objects, such as services, that are also located in the same geo they are assigned to.

Get started with access management

Manage resource access in your organization with teams and roles
Invite users to join your organization
View the teams reference
View the roles reference