Roles and Groups

Zero Assumptions uses roles and groups to define abilities.


A user is an individual or service account. Both individuals and service accounts are assigned roles.

Service Accounts

Service accounts have to connect to the control plan, but not necessarily the network.


Roles are assigned to users to define their scope of abilities when interacting with Zero Assumptions in the control plane. Roles only define capabilities and not access to resources.

Types of roles

Users can have one role at a time, and belong to zero or more groups.

AdminAn Admin is in charge of the main configuration, setting up authentication, and writing policies. Admins also have the abilities of Operators and Users.
OperatorAn Operator maintains Zero Assumptions once it has been deployed. Operators also have the abilities of Users.
UserA User can connect to your network and use the Zero Assumptions set up.


Groups define user access to resources.

  • Groups have zero or more users and machines (service accounts)
  • Groups have zero or more permissions, which define the resources a group has access to

While groups grants persistent access, time limited access to single resources can also be assigned directly.


Resources control entities like databases, SSH servers, Kubernetes clusters, and subnets.


A team is your organization. Teams contain all of your users, roles, and groups.