RBAC Not Working
Hi Neon,
I have an organization with a few projects. How do I provision users within the organization and then restrict them to specific projects? I tried going the Collaborators route but that isnt working
10 Replies
conscious-sapphire•7h ago
Hey! If you want a user to have access to all the projects within an org, you can invite them as a Member at
https://console.neon.tech/app/org/<org-id>/people. If you want to restrict someone to only specific projects, you’ll need to invite them as a Collaborator from that project at https://console.neon.tech/app/projects/<project-id>/settings#sharingflat-fuchsiaOP•7h ago
Will that work if a user just has a free account but tied to my company's email?
I started an organization with my company email, so that is all paid for.
conscious-sapphire•7h ago
Yes it will. Billing and limits are tied to the org that owns the project, not the individual user’s account. So if you created the org on your company’s paid plan, any Members or Collaborators you invite (even if they only have a free Neon account) will use the org’s resources/limits when working in those projects. Their personal account limits don’t apply inside your org.
flat-fuchsiaOP•7h ago
got it, can those collaborator accounts then be tied to sql level access to the db itself?
I tried enabling auth on the project but got a server error
Unknown internal server errorconscious-sapphire•7h ago
I'm not sure I understand. I think you're asking if Neon member and collaborator roles are tied to Postgres roles. If so, no, any member and collaborator will have the same neondb_owner role in Postgres. Neon Members and Collaborators roles only control Console access.
When you say you enabled auth, do you mean you provisioned Neon Auth powered by Stack Auth?
flat-fuchsiaOP•7h ago
ok so console access is effectively superadmin
My goal is to enable RBAC similar to the AWS IAM authenticator plugin, where usernames map to different access groups
for example: read only vs read write
conscious-sapphire•7h ago
Exactly, console access is basically admin. For what you’re trying to accomplish, you’d need to create Postgres roles for your collaborators with the right privileges, then share the connection string for that role. They can connect using a client like DBeaver or pgAdmin to browse the database, instead of going through the console, if they need.
flat-fuchsiaOP•7h ago
got it, so this is probably a terraform job then?
conscious-sapphire•7h ago
Most likely. Not needed, but definitely much easier to manage
flat-fuchsiaOP•7h ago
we have a team of developers that need varying degrees of access. I'll standardize on that. Thanks!