Skip to main content



Chef Automate Identity and Access Management roles are named groups of actions used to define policies. Actions describe what is allowed by users in Automate. IAM Actions describes the associated action or actions required to access certain pages in the browser.

Users require permission for the iam:roles action to interact with roles. Any user that is part of the admins team or the Administrator policy will have this permission. Otherwise, IAM custom policies can be created to assign this permission.

Chef-Managed Roles

Chef-managed roles are roles provided by Chef that cannot be changed.

ViewerView everything in the system except IAM
EditorDo everything in the system except IAM and license application
OwnerDo everything in the system including IAM
Project OwnerEditor + view and assign projects
IngestIngest data into the system

Actions for Chef-Managed Roles

Project Ownerproject-ownerinfra:nodes:*, infra:nodeManagers:*, compliance:*, event:*, ingest:*, secrets:*, iam:projects:list, iam:projects:get, iam:projects:assign, iam:policies:list, iam:policies:get, iam:policyMembers:*, iam:teams:list, iam:teams:get, iam:teamUsers:*, iam:users:get, iam:users:list, applications:*
Editoreditorinfra:infraServers:list, infra:infraServers:get, infra:nodes:*, infra:nodeManagers:*, compliance:*, event:*, ingest:*, secrets:*, iam:projects:list, iam:projects:get, iam:projects:assign, applications:*
Viewerviewerinfra:infraServers:list, infra:infraServers:get, secrets:*:get, secrets:*:list, infra:nodes:get, infra:nodes:list, infra:nodeManagers:get, infra:nodeManagers:list, compliance:*:get, compliance:*:list, event:*:get, event:*:list, ingest:*:get, ingest:*:list, iam:projects:list, iam:projects:get, applications:*:get, applications:*:list
Ingestingestinfra:ingest:*, compliance:profiles:get, compliance:profiles:list

Custom Roles

Custom roles are roles that any user with the permission for iam:roles:update can change. In addition to the Chef-managed roles above, Chef Automate includes two custom roles by default.

Compliance ViewerViewer for compliance resources
Compliance EditorEditor for compliance resources

You can edit these custom roles like other user-created custom roles.

Managing Roles

Creating Roles

Custom roles can only be created using the Roles API.

Example Custom Role

  "name": "Advocate",
  "id": "advocate-role",
  "actions": [
  "projects": [

Changing Role Details

For custom roles, use the Roles API to change the role name, actions list, and projects.

Deleting Roles

Navigate to Roles in the Settings tab. Then open the menu at the end of the table row and select Delete Role.

Edit this page on GitHub

Thank you for your feedback!


Search Results