Manage Access

Space access can be managed through the 'Permissions' section inside the space drawer. There are a couple of special cases:

1. Global Loft Admins & Project Admins have access and can change all spaces within a project.
2. Virtual Cluster owners always have access and can change their spaces.
3. Every user or team within the management cluster that has the RBAC permission on the resource "spaceinstances" in api group "management.loft.sh" for the verb "use" can access the space.

How does Access within a space work?

Every user or team that has access to a space gets automatically the default cluster role assigned within the space. By default this is loft-cluster-space-admin. The default cluster role can be either changed in the space template or on the space object itself.

Besides the default rule you can define extra rules on the space or template that map a user or team to another cluster role. As soon as one rule matches a user or team, the default cluster role is not assigned. If multiple rules match a user, all the cluster roles defined in the rules are assigned.

Grant Access to a space

UI

1. Go to the Projects view using the menu on the left
2. Click on Spaces and click on the Edit link on a space.
3. In the drawer select the 'Permissions' section.
4. Select the user or team you want to grant permissions in the 'User or Team' select. If you don't see the user or team you want to grant access in there, make sure they have project access.
5. Specify the cluster-role you want to assign the user or team within the space.
6. Click on the button at the very bottom

CLI

To give someone access to a space using Loft CLI, run:

loft share space [optional:name] --user other-user --project my-project