Skip to main content

ZITADEL Managers

Managers are human users or service users who have permission to manage resources within ZITADEL.

Manager permissions can be assigned to different levels in ZITADEL:

  • IAM Managers: This is the highest level. Users with IAM Manager roles are able to manage the whole Instance.
  • Org Managers: Managers in the Organization Level are able to view or manage everything, according to their permissions, within the granted Organization.
  • Project Mangers: In this level the user is able to manage a project.
  • Project Grant Manager: The project grant manager is for granted projects by another organization.

Scope of the managers is restricted based on their level. That means a Manager, assigned to one organization, will only get access to resources and configurations of that organization. Only Managers on the instance level can view resources, such as users, across all organizations.

To configure managers in ZITADEL go to the resource where you like to add it (e.g Instance, Organization, Project, GrantedProject). In the right part of the console you can finde MANAGERS in the details part. Here you have a list of the current managers and can add a new one.


When adding a new manager, you can select multiple roles some of which are only allowed to read data. This can be especially useful if you add service users for one of your projects where you only need read access.

Per default you will only search for users within the selected organization. If you like to give a role to a user outside the organization you need to switch to the global search and type the exact loginname of the users. This will prevent users from guessing users from other organizations.



IAM OwnerIAM_OWNERManage the IAM, manage all organizations with their content
IAM Owner ViewerIAM_OWNER_VIEWERView the IAM and view all organizations with their content
IAM Org ManagerIAM_ORG_MANAGERManage all organizations including their policies, projects and users
IAM User ManagerIAM_USER_MANAGERManage all users and their authorizations over all organizations
IAM Admin ImpersonatorIAM_ADMIN_IMPERSONATORAllow impersonation of admin and end users from all organizations
IAM ImpersonatorIAM_END_USER_IMPERSONATORAllow impersonation of end users from all organizations
Org OwnerORG_OWNERManage everything within an organization
Org Owner ViewerORG_OWNER_VIEWERView everything within an organization
Org User ManagerORG_USER_MANAGERManage users and their authorizations within an organization
Org User Permission EditorORG_USER_PERMISSION_EDITORManage user grants and view everything needed for this
Org Project Permission EditorORG_PROJECT_PERMISSION_EDITORGrant Projects to other organizations and view everything needed for this
Org Project CreatorORG_PROJECT_CREATORThis role is used for users in the global organization. They are allowed to create projects and manage them.
Org Admin ImpersonatorORG_ADMIN_IMPERSONATORAllow impersonation of admin and end users from the organization
Org ImpersonatorORG_END_USER_IMPERSONATORAllow impersonation of end users from the organization
Project OwnerPROJECT_OWNERManage everything within a project. This includes to grant users for the project.
Project Owner ViewerPROJECT_OWNER_VIEWERView everything within a project.
Project Owner GlobalPROJECT_OWNER_GLOBALSame as PROJECT_OWNER, but in the global organization.
Project Owner Viewer GlobalPROJECT_OWNER_VIEWER_GLOBALSame as PROJECT_OWNER_VIEWER, but in the global organization.
Project Grant OwnerPROJECT_GRANT_OWNERSame as PROJECT_OWNER but for a granted proejct.

Configure roles

If you run a self hosted ZITADEL instance you can define your custom roles by overwriting the defaults.yaml In the InternalAuthZ section you will find all the roles and which permissions they have.


- Role: "IAM_OWNER"
- ""
- "iam.write"