Skip to main content
Every user in a project has a role that controls what they can see and do. There are five roles across two scopes: one account-level role and four project-level roles.

Role comparison

CapabilityClient AdministratorProject AdministratorProject UserInternal Network Only UserProject Observer
ScopeAccountProjectProjectProjectProject
Manage projects
Invite and manage users
Reservation cost report
Cost reports and audit logsAll projectsThis projectThis projectThis projectThis project
Read account quotas
Create, edit, delete resourcesRestricted
Read resources
Public network access

Client Administrator

Scope: Account The only account-level role. A Client Administrator can manage all projects across the account and invite users to any project, assigning roles up to and including Client Administrator. They have full access to all Cloud resources in every project, all cost reports (including the reservation cost report), audit logs, and resource reservations.

Project-level roles

The following roles are assigned per project. A user can have different roles in different projects.

Project Administrator

Scope: Project Manages a project and its users. Can invite users and assign roles up to Project Administrator level. Has full read/write access to all Cloud resources in the project, plus cost reports and audit logs for that project.

Project User

Scope: Project Works within a project without managing user access. Resource permissions are identical to Project Administrator — the only difference is that Project User cannot invite or manage other users.

Project Internal Network Only User

Scope: Project Designed for isolated private environments where access to the public internet must be prevented. This role cannot:
  • Create resources with a public IP address (Virtual Machines, Bare Metal, GPU Cloud, Load Balancers, Managed Kubernetes)
  • Use floating IP addresses
  • Attach a public IP to any existing resource
Within these restrictions, the role has read/write access to Virtual Machines, Bare Metal, Volumes, Snapshots, File Shares, GPU Cloud, Function as a Service, Managed Logging, Images, SSH Keys, Networks, Firewalls, and Load Balancers. Managed Kubernetes and Container as a Service are read-only.

Project Observer

Scope: Project Read-only access to the project. Can view all Cloud resources, cost reports, and audit logs but cannot create, edit, or delete anything.