Add documentation for Custom Roles feature#4293
Open
brianmacdonald-temporal wants to merge 17 commits into
Open
Add documentation for Custom Roles feature#4293brianmacdonald-temporal wants to merge 17 commits into
brianmacdonald-temporal wants to merge 17 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
📖 Docs PR preview links |
LutaoX
reviewed
Mar 13, 2026
bechols
reviewed
Mar 13, 2026
LutaoX
reviewed
Mar 16, 2026
Co-authored-by: Ben Echols <benjamin.echols@temporal.io>
Co-authored-by: Ben Echols <benjamin.echols@temporal.io>
Fixing broken links
LutaoX
reviewed
Jun 4, 2026
|
|
||
| For more information about the limits of Custom Roles, see [Custom Roles limits](/cloud/limits#custom-role-limits). | ||
|
|
||
| ## Defining Custom Roles |
Contributor
There was a problem hiding this comment.
Can we also somewhere add the naming standard/convention? See information below
- Allowed characters: a-z A-Z 0-9 _ -
- Not allowed: space
- Special Chars only _ and -
- Max length: 64 characters
- Min Length: 1 character
- Unique per account: NO
| ## What are Custom Roles? | ||
|
|
||
| Custom Roles enable you to define your own roles as bundles of permission primitives (operations/actions) | ||
| scoped to applicable resources (namespaces or account objects) and assign them to any |
Contributor
There was a problem hiding this comment.
Suggested change
| scoped to applicable resources (namespaces or account objects) and assign them to any | |
| scoped to Temporal Cloud resources (e.g. [Account](https://docs.temporal.io/cloud/manage-access#temporal-cloud-accounts), [Namespace](https://docs.temporal.io/namespaces), [Nexus Endpoint](https://docs.temporal.io/nexus/endpoints), [Connectivity Rule](https://docs.temporal.io/cloud/connectivity#connectivity-rules) and assign them to any |
|
|
||
| Temporal Cloud offers a set of predefined [account-level roles and Namespace-level permissions](https://docs.temporal.io/cloud/users#account-level-roles). | ||
| These roles are sufficient for many Temporal use cases, but can't cover all combinations of least privilege, delegation, and automation-safe permissions often required in large enterprises. | ||
|
|
Contributor
There was a problem hiding this comment.
add what you had in the description here? I like that it is very straightforward and easy to understand:
"With Custom Roles, you can define granular permissions in Temporal Cloud, giving your team precise control over who can perform specific actions within your account."
| id: custom-roles | ||
| title: Manage custom roles | ||
| sidebar_label: Manage custom roles | ||
| description: Custom roles enable users to create fine-grained authorization in Temporal Cloud. This will give you precise control over who can do what within your account. |
Contributor
There was a problem hiding this comment.
small nit. "create fine-grained authorization" sounds a little awkward because we are not "creating authorization" it doesn't create authorization itself but more granular way to manage permission.
Recommendation:
"enable users to define granular permissions in Temporal Cloud."
Comment on lines
+34
to
+38
| Use Custom Roles if you want more fine-grained authentication than Temporal Cloud's predefined roles and permissions provide. | ||
|
|
||
| Use Custom Roles if your access model enforces least-privilege access to grant users and service accounts only the operations they explicitly need, and no more. | ||
|
|
||
| Using Custom Roles with [Service Accounts](/cloud/service-accounts) can make them more secure for automation purposes. |
Contributor
There was a problem hiding this comment.
Suggested change
| Use Custom Roles if you want more fine-grained authentication than Temporal Cloud's predefined roles and permissions provide. | |
| Use Custom Roles if your access model enforces least-privilege access to grant users and service accounts only the operations they explicitly need, and no more. | |
| Using Custom Roles with [Service Accounts](/cloud/service-accounts) can make them more secure for automation purposes. | |
| Use Custom Roles when you need more granular access control than the [predefined roles](https://docs.temporal.io/cloud/users#account-level-roles) provide. Common use cases include: | |
| - **Least-privilege access**: Grant users only the permissions they need to perform their job functions. | |
| - **Delegated administration**: Allow teams to manage specific Temporal Cloud resources without granting full account administration privileges. | |
| - **Service account security**: Create narrowly scoped permissions for automation and integrations, reducing risk if credentials are compromised. |
| | **Resource Type** | **Scoping Behavior** | NOTE | | ||
| | --- | --- | --- | | ||
| | account | Account-level; no specific resource ID needed | | | ||
| | projects (coming soon) | [At the time of Custom Roles release] Scoped to default project <br />[Future] Scoped to specific project IDs, or `allow_all: true` for all projects. | `default` project to start with because with introduction of projects, all namespaces will be moved to `default` project to start with | |
Comment on lines
+158
to
+166
| - **Resource Types & Scoping Behavior** | ||
|
|
||
| | **Resource Type** | **Scoping Behavior** | NOTE | | ||
| | --- | --- | --- | | ||
| | account | Account-level; no specific resource ID needed | | | ||
| | projects (coming soon) | [At the time of Custom Roles release] Scoped to default project <br />[Future] Scoped to specific project IDs, or `allow_all: true` for all projects. | `default` project to start with because with introduction of projects, all namespaces will be moved to `default` project to start with | | ||
| | Namespaces | Scoped to specific Namespace IDs, or `allow_all: true` for all Namespaces | | | ||
| | Nexus endpoints | Scoped to specific Nexus endpoint IDs, or `allow_all: true` for all Nexus endpoints | | | ||
| | connectivity rules | Scoped to specific connectivity rule IDs, or `allow_all: true` for all connectivity rules | | |
Contributor
There was a problem hiding this comment.
since we don't need Projects anymore. we probably don't need this table. The scoping behavior is the same across all other resources
|
|
||
| For a list of available actions, see [the list of Custom Role permissions](https://github.com/temporalio/saas-proto/blob/main/protogen/custom_role_permissions.json). | ||
| - Account-scoped actions (resource_type: "accounts") | ||
| - Project-scoped actions (resource_type: "projects") |
|
|
||
| Either `allow_all: true` or `resource_ids` must be set, not both. | ||
|
|
||
| For a list of available actions, see [the list of Custom Role permissions](https://github.com/temporalio/saas-proto/blob/main/protogen/custom_role_permissions.json). |
Contributor
There was a problem hiding this comment.
This link is the internal json file Eng team produced so that doc and UI team can refer to for creating a user facing content.
We need a separate reference page created in public doc with this information that is 1) user friendly and 2) in sync with this internal json file so we don't need to manually keep the page updated
Comment on lines
+179
to
+191
| The following example allows creating Namespaces in all projects. | ||
| The action is `cloud.namespace.create`, the resource type is `projects`, and `allow_all` is set to true. | ||
|
|
||
| ```jsx | ||
| { | ||
| "actions": ["cloud.namespace.create"], | ||
| "resources": { | ||
| "resource_type": "projects", | ||
| "allow_all": true | ||
| } | ||
| } | ||
| ``` | ||
|
|
Contributor
There was a problem hiding this comment.
we can keep the two below example: one illustrating specific resource with ID, one illustrate mix and match to all resources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds documentation for the Custom Roles feature
Notes to reviewers
┆Attachments: EDU-6050 Add documentation for Custom Roles feature