Assign Roles
- Print
- DarkLight
Assign Roles
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
This feature is currently in Private Preview.
For more information about getting started, see Manage B2 Cloud Storage at Scale: Enterprise Web Console.
For questions after implementation, contact the Product Team.
Roles define what actions a user can take as well as which objects and resources they can see.
There are five predefined roles: Administrator, Bucket Creator, Object Manager, Object Viewer, and Object Writer.
Users can be assigned multiple roles—either directly or through membership in one or more user groups. When a user receives multiple role assignments on the same scope, the more permissive (or “more generous”) set of permissions applies. Roles are additive, and permissions never cancel each other out.
Many UI elements are hidden unless a role provides access. For example, only Administrators can view the Access Controls navigation item in the left menu.
Examples
Overlapping Roles on a Bucket
A user is assigned Object Viewer on Bucket A through a user group.
The same user is directly assigned Object Writer on Bucket A.
Result:
The user inherits Object Writer permissions for Bucket A, because it is the more permissive role.
They can view, download, and also upload or overwrite objects.
Organization vs. Resource Group Scope
A user has Object Manager on a Resource Group, granting full object-level access to all buckets in that RG.
The same user is assigned Object Viewer at the Organization scope.
Result:
In the Resource Group: the Object Manager role applies (more permissive).
Outside the Resource Group but inside the Organization: the Object Viewer permissions apply.
This demonstrates how roles combine across different scopes.
Admin Role Overrides
A user is a member of a user group that has Object Writer in a Resource Group.
The user is also assigned Administrator directly.
Result:
The Administrator role gives access to all resources and Access Control pages, regardless of other assignments.
Managed Role Types
Name | Description | Scope |
|---|---|---|
Administrator | Grants full administrative access across the organization.
|
|
Bucket Creator | Allows the user to create buckets. Once created, they can manage the buckets they create, including:
|
|
Object Manager | Provides full management of objects within specified buckets, including:
|
|
Object Viewer | Allows viewing objects within assigned buckets:
|
|
Object Writer | Allows writing and updating objects:
|
|
View Role Permissions
You can view the permissions for any role to understand exactly which actions it allows and which resources it provides access to.
In the left navigation menu under Access Control, select Roles.
Select a role name.
Select the Permissions tab to view permission names and their corresponding descriptions.
Assign a Role to a User or a User Group
In the left navigation menu under Access Control, select Roles.
Select the role that you want to assign (Administrator, Bucket Creator, Object Manager, Object Viewer, Object Writer).
Select the Users tab or the User Groups tab, and click Assign Access.
Select the scope for the role:
Organization: applies across the entire organization
Resource Group: select a resource group
Bucket: select a bucket (for object roles)
Click Save.
Was this article helpful?