The Gloo Mesh API v2 is designed for the following user personas.

Figure: Gloo Mesh personas
Figure: Gloo Mesh personas

Persona responsibilities

As you plan your Gloo Mesh environment, consider how the following user personas relate to your own organization. For example, your workload administrator might be the same person as your development team lead.

Team organization

In your organization, the same person might have responsibilities from several of the Gloo Mesh personas. Similarly, you might have several teams that have many of these roles, such as in the following diagram.

Figure: Persona teams
Figure: Persona teams

In Gloo Mesh, you can create a workspace for each team. Then, you can configure the workspace settings to decide how to share resources across your teams. For more information, see Workspaces.

Figure: Persona teams as workspaces
Figure: Persona teams as workspaces

Example RBAC roles by persona

PersonaRolesRationale
Pam, Platform AdminThe cluster-admin cluster role for all clusters in your setup.To install Gloo Mesh Enterprise and Istio in each cluster. Also, to add users to the clusters.
Arjay, App OwnerThe cluster-admin cluster role for the cluster or admin or edit role for the namespace that has the workspace settings resource.To update the workspace settings to control importing and exporting. Also, to help manage any Gloo resources that the team wants to export or import.
Oliver, OperatorThe admin or edit role for each namespace he is responsible for operating.To create Gloo resources such as policies for the namespace. Consider giving the view role to the namespace with the workspace settings, so that the operator can review what resources are imported from other workspaces, if any.
Alice, App DeveloperThe edit role for each namespace where she needs to deploy her app.To create Kubernetes resources such as a Deployment and Service, or Gloo resources such as a Route Table. Consider giving the view role to the namespace with the workspace settings, so that the developer can review what resources are imported from other workspaces, if any.