Tarantool CE/EE Documentation portal logo
Support
Updated at July 17, 2026   02:08 PM

Role-based access control

Тarantool Cluster Manager features a role-based access control system. It enables flexible management of access to TCM functions, connected clusters, and stored data. The TCM access system uses three main entities: permissions, roles, and users (or user accounts). They work as follows:

  • Permissions correspond to specific functions or objects in TCM (administrative permissions) or operations on clusters (cluster permissions).
  • Roles are predefined sets of administrative permissions to assign to users.
  • Users have roles that define their access rights to TCM functions and objects, and cluster permissions that are assigned for each cluster individually.

Permissions

Permissions define access to specific actions that users can do in TCM. For example, there are permissions to view connected clusters or to manage users.

There are two types of permissions in TCM: administrative and cluster permissions.

  • Administrative permissions provide access to TCM functions. They define which pages and controls are available to users in the web UI. Typically, read permissions define pages shown in the left menu. Write permissions define the availability of controls for managing objects on the pages. For example, users with read permission to clusters can view the Clusters page but they don't see Add, Edit, or Remove buttons unless they have the write permission.

    Administrative permissions are assigned to users through roles.

  • Cluster permissions enable actions with connected Tarantool clusters. These permissions are granted to users on a per-cluster level: each user has a separate set of permissions for each cluster.

    Cluster permissions define which pages of the Cluster menu section users see and what actions they can take on these pages. For example, users with the read configuration permission to a cluster configuration see the Configuration page when this cluster is selected.

    Cluster permissions are assigned to users individually when creating or editing them.

    For a fine-grained control over user access to particular spaces and functions stored in clusters, there is the access control list.

Permissions are predefined in TCM, there is no way to change, add, or delete them. The complete lists of administrative and cluster permissions in TCM are provided in the Permissions reference.

Roles

Roles are groups of administrative permissions that are assigned to users together.

The assigned roles define pages that users see in TCM and actions available on these pages.

Default roles

TCM comes with default roles that cover three common usage scenarios:

  • Super Admin Role is a default role with all available administrative permissions. Additionally, the users with this role automatically gain all cluster permissions to all clusters.
  • Cluster Admin Role is a default role for cluster administration. It includes administrative permissions for cluster management.
  • Default User Role is a default role for working with clusters. It includes basic administrative read permissions that are required to log in to TCM and navigate to a cluster.

Managing roles

Administrators can create new roles, edit, and delete existing ones.

Roles are listed on the Roles page.

To create a new role, click Add, enter the role name, and select the permissions to include in the role.

To edit an existing role, click Edit in the Actions menu of the corresponding table row.

To delete a role, click Delete in the Actions menu of the corresponding table row.

Users

TCM users gain access to objects and actions through assigned roles and cluster permissions.

A user can have any number of roles or none of them. Users without roles have access only to clusters that are assigned to them.

TCM uses password authentication for users. For information on password management, see the Passwords section below.

Default admin

There is one default user Default Admin. It has all the available permissions, both administrative and cluster ones. When new clusters are added in TCM, Default Admin automatically receives all cluster permissions for them as well.

Managing users

Administrators can create new users, edit, and delete existing ones.

The tools for managing users are located on the Users page.

To create a user:

  1. Click Add.
  2. Fill in the user information: username, full name, and description.
  3. Generate or type in a password.
  4. Select roles to assign to the user.
  5. Add clusters to give the user access to, and select cluster permissions for each of them.

To edit a user, click Edit in the Actions menu of the corresponding table row.

To delete a user, click Delete in the Actions menu of the corresponding table row.

Passwords

TCM uses the general term secret for user authentication keys. A secret is any pair of a public and a private key that can be used for authentication. A password combined with a username is a secret type used for TCM user authentication. In this case, the public key is a username, and the private key is a password.

Users receive their first passwords during their account creation.

All passwords are governed by the password policy. It can be flexibly configured to follow the security requirements of your organization.

Changing your password

To change your own password, click your name in the top-right corner and go to Settings > Change password.

Changing users' passwords

Administrators can manage a user's password on this user's Secrets page. To open it, click Secrets in the Actions menu of the corresponding Users table row.

To change a user's password, click Edit in the Actions menu of the corresponding Secrets table row and enter the new password in the New secret key field.

Password expiry

Passwords expire automatically after the expiration period defined in the password policy. When a user logs in to TCM with an expired password, the only action available to them is a password change. All other TCM functions and objects are unavailable until the new password is set.

Administrators can also set users' passwords to expired manually. To set a user's password to expired, click Expire in the Actions menu of the corresponding Secrets table row.

Blocking passwords

To forbid users' access to TCM, administrators can temporarily block their passwords. A blocked password can't be used to log into TCM until it's unblocked manually or the blocking period expires.

To block a user's password, click Block in the Actions menu of the corresponding Secrets table row. Then provide a blocking reason and enter the blocking period.

To unblock a blocked password, click Unblock in the Actions menu of the corresponding Secrets table row.

Password policy

Password policy helps improve security and comply with security requirements that can apply to your organization.

You can edit the TCM password policy on the Password policy page. There are the following password policy settings:

  • Minimal password length.
  • Do not use last N passwords.
  • Password expiration in days. Users' passwords expire after this number of days since they were set. Users with expired passwords lose access to any objects and functions except password change until they set a new password.
  • Password expiration warning in days. After this number of days, the user sees a warning that their password expires soon.
  • Block after N login attempts. Temporarily block users if they enter their username or password incorrectly this number of times consecutively.
  • User lockout time in seconds. The time interval for which users can't log in after spending all failed login attempts.
  • Password must include. Characters and symbols that must be present in passwords:
    • Lowercase characters (a-z)
    • Uppercase characters (A-Z)
    • Digits (0-9)
    • Symbols (such as !@#$%^&*()_+№"':,.;=][{}`?>/.)

Permissions reference

Administrative permissions

The following administrative permissions are available in TCM:

Permission Description


admin.clusters.read View connected clusters' details admin.clusters.write Edit cluster details and add new clusters admin.users.read View users' details admin.users.write Edit user details and add new users admin.roles.read View roles' details admin.roles.write Edit roles and add new roles admin.addons.read View add-ons admin.addons.write Edit add-on flags admin.addons.upload Upload new add-ons admin.auditlog.read View audit log configuration and read audit log in TCM admin.auditlog.write Edit audit log configuration admin.sessions.read View users' sessions admin.sessions.write Revoke users' sessions admin.ldap.read View LDAP configurations admin.ldap.write Manage LDAP configurations admin.passwordpolicy.read View password policy admin.passwordpolicy.write Manage password policy admin.secrets.read View information about users' secrets admin.secrets.write Manage users' secrets: add, edit, expire, block, delete user.password.change User's permission to change their own password user.api-token.read User's permission to read their own API tokens information user.api-token.write User's permission to modify their own API tokens admin.metrics Read TCM metrics admin.acl.read View the access control list (ACL) admin.acl.write Add and delete ACL entries

Cluster permissions

The following cluster permissions are available in TCM:

Permission Description


cluster.config.read View cluster configuration cluster.config.write Manage cluster configuration cluster.stateboard.read View cluster stateboard cluster.func.read View cluster's stored functions cluster.func.write Edit cluster's stored functions cluster.func.call Execute stored functions on cluster instances cluster.space.read Read cluster data schema cluster.space.write Modify cluster data schema cluster.space.data.read Read stored data from cluster cluster.space.data.write Edit stored data on cluster cluster.failover.read Read cluster failover information cluster.failover.write Write cluster failover commands cluster.terminal Connect to cluster instances with tt terminal from TCM cluster.sql Execute SQL queries cluster.metrics View cluster metrics cluster.config.security View and edit settings on the Security tab cluster.user.read View users and roles of the cluster on the Users tab on the instance page cluster.user.write Create, edit, and delete users and roles of the cluster on the Users tab on the Instance page cluster.migrations.read View information about loaded and applied migrations on the Migrations tab cluster.migrations.write Create, edit, and apply migrations cluster.tcf.read View information about TCF clusters and their status on the TCF tab cluster.tcf.write Modify TCF configuration settings and switch cluster states on the TCF tab