Skip to main content
Anaconda Platform 7.0.0 is available through a limited early access program. Contact your Anaconda Technical Account Manager (TAM) if you’re interested in adopting the latest version.
Roles define what users can see and do within Anaconda Platform. Anaconda provides several preconfigured roles that cover common use cases, but you can also create custom roles to fit your organization’s specific needs. Roles are constructed by assigning permission levels to different permission categories, which represent specific areas of functionality within Anaconda Platform.

Permission categories

Each permission category is associated with some feature of Anaconda Platform. The available permission categories are:
  • Channels: grants interaction with
  • Default Channel: grants interaction with the user’s default channel
  • Channel Groups: grants interaction with channel groups
  • Channel : grants interaction with channel mirrors
  • Subchannels: grants interaction with subchannels
  • Subchannel Groups: grants interaction with subchannel groups
  • Subchannel Mirrors: grants interaction with subchannel mirrors
  • Artifacts: grants interaction with artifacts
  • CVE: grants interaction with
  • Roles: grants interaction with roles
  • CVE Notifications: grants interaction with channel CVE notifications
  • Audit Logs: (read permissions only) grants admins permissions to download user audit logs report
  • Policy Engine: grants interaction with the policy engine

Permission levels

There are four levels of permissions available for Anaconda Platform:
  • Read: View the associated feature.
  • Write: View and create new assets of the associated feature.
  • Manage: View, create, and edit assets of the associated feature.
  • None: Removes permissions for the associated feature.

Preconfigured roles

Anaconda Platform contains the following preconfigured roles for the repo realm:
  • everyone: A non-authenticated user. Allows visibility into public channel and subchannel contents as well as group membership.
  • author: An authenticated user. Allows users to create new channels and subchannels, and provides user level access to your JupyterHub server.
  • admin: The administrator role has full management permissions over all the features of Anaconda Platform. The admin role is responsible for creating and maintaining mirrors in addition to managing users and CVE data. This role also provides admin level permissions to your JupyterHub server.
The admin role is not visible through Anaconda Platform UI.

Managing Roles

Administrators use roles to define and enforce access boundaries within Anaconda Platform. Roles specify who can view or modify particular resources, for example, which users can see channels, manage mirrors, access the policy engine, or review CVE data. Effective role management helps maintain both security and operational clarity. Most role management tasks can be done directly from the Platform interface, but some advanced operations require access to the Keycloak administrative console.

Creating custom roles

Custom roles allow you to define specific permission sets that align with your organization’s needs. Once you’ve created a role, you can assign it to users or groups as necessary.
  1. Open the user dropdown and select Users & Groups.
  2. Select Create User Role.
  3. Enter a unique name and description for your role.
  4. Set the permission levels for each category.
  5. Select Create.

Editing role permissions

Editing a role alters the permissions for all associated users and groups. Ensure you understand the impact of these changes before proceeding.
  1. Open the user dropdown and select Users & Groups.
  2. Select Edit role beside the role you want to modify.
  3. Update the permissions as necessary.
  4. Select Edit.

Assigning a role to a user

Roles are typically assigned to a group as opposed to individual users avoid the overhead of managing permissions on a per-user basis. However, you can assign roles to individual users as needed.
Permissions can be assigned to groups directly from Anaconda Platform. However, assigning a role to an individual user must be handled through the Keycloak administrative console.
  1. Log in to the Keycloak administrative console.
  2. Verify you are in the repo realm.
    For more information about realms, see Realms.
  3. Select Users from the left-hand navigation.
  4. Select a user to assign roles to.
  5. Select the Role mapping tab.
  6. Select Assign role.
  7. Open the filter dropdown and select Filter by realm roles.
  8. Select the roles you need to add to your user, then select Assign.

Deleting a role

Deleting a role permanently removes it from Anaconda Platform. This action should only be taken when a role is no longer in use or has been replaced by a new one.
Before deleting a role, confirm that no active users or groups depend on it, as this immediately revokes the role’s permissions for all associated users and groups.
  1. Open the user dropdown and select Users & Groups.
  2. Select the Delete Role icon beside the role you want to delete.
  3. Select Delete to confirm that you want to delete the role.

Composite roles

A composite role is built from other existing roles and provides the aggregated permissions of all the roles it’s composed of. The following example shows how to create a composite role that lets a master realm admin manage users in the repo realm:
  1. Log in to the Keycloak administrative console.
  2. Verify you are in the master realm.
  3. Select Realm roles from the left-hand navigation.
  4. Select Create role.
  5. Enter a name for your role and provide a brief description of its intended use.
  6. Select Save. More tabs appear.
  7. Open the Action dropdown and select Add associated roles.
  8. If necessary, open the filter dropdown and select Filter by clients.
  9. Select the following roles to associate their permissions with this composite role.
    • manage-users
    • query-users
    • view-users
  10. Select Assign.
  11. Assign your newly created composite role to the appropriate admin users on the master realm.

Setting/updating default roles

Default roles are permissions that are automatically applied to any newly created or imported user within a realm. Each realm has its own set of default roles.
Default roles are composite roles. For more information, see Composite roles.
To set the default roles:
  1. Log in to the Keycloak administrative console.
  2. Verify you are on the realm you need to set default roles for.
  3. Select Realm settings from the left-hand navigation.
  4. Select the User registration tab.
  5. Select Assign role.
  6. If necessary, open the filter dropdown and select Filter by clients.
  7. Select available roles to assign to newly created or imported users.
  8. Select Assign.

Group roles

Any permissions that can be granted to an individual by assigning them a role can also be granted to multiple people by assigning the role to a group. This is exceptionally useful for Anaconda Platform implementations that utilize an LDAP or Active Directory server. To assign roles to a group:
  1. Log in to the Keycloak administrative console.
  2. Verify you are working in the repo realm.
  3. Select Groups from the left-hand navigation.
  4. Select the group you want to provide permissions to.
  5. Select the Role mapping tab.
  6. Select Assign role.
  7. If necessary, open the filter dropdown and select Filter by clients.
  8. Select available roles to assign to newly created or imported users.
  9. Select Assign.

Setting/updating default groups

Default groups automatically assign group membership (and the permissions associated with said groups) to all newly created or imported users within a realm. To set the default groups:
  1. Log in to the Keycloak administrative console.
  2. Verify you are in the repo realm.
  3. Select Realm settings from the left-hand navigation.
  4. Select the User registration tab.
  5. Select the Default groups tab.
  6. Select Add groups.
  7. Select the groups you want to assigned as default.
  8. Select Add.