---
title: Role-based Access Control
---
This section describes the permissions required to access Istio features.
The rancher istio chart installs three `ClusterRoles`
## Cluster-Admin Access
By default, only those with the `cluster-admin` `ClusterRole` can:
- Install istio app in a cluster
- Configure resource allocations for Istio
## Admin and Edit access
By default, only Admin and Edit roles can:
- Enable and disable Istio sidecar auto-injection for namespaces
- Add the Istio sidecar to workloads
- View the traffic metrics and traffic graph for the cluster
- Configure Istio's resources (such as the gateway, destination rules, or virtual services)
## Summary of Default Permissions for Kubernetes Default roles
Istio creates three `ClusterRoles` and adds Istio CRD access to the following default K8s `ClusterRole`:
ClusterRole create by chart | Default K8s ClusterRole | Rancher Role |
------------------------------:| ---------------------------:|---------:|
`istio-admin` | admin| Project Owner |
`istio-edit`| edit | Project Member |
`istio-view` | view | Read-only |
Rancher will continue to use cluster-owner, cluster-member, project-owner, project-member, etc as role names, but will utilize default roles to determine access. For each default K8s `ClusterRole` there are different Istio CRD permissions and K8s actions (Create ( C ), Get ( G ), List ( L ), Watch ( W ), Update ( U ), Patch ( P ), Delete( D ), All ( * )) that can be performed.
|CRDs | Admin | Edit | View
|----------------------------| ------| -----| -----
| - `config.istio.io`
- `adapters`
- `attributemanifests`
- `handlers`
- `httpapispecbindings`
- `httpapispecs`
- `instances`
- `quotaspecbindings`
- `quotaspecs`
- `rules`
- `templates`
| GLW | GLW | GLW
|- `networking.istio.io`
- `destinationrules`
- `envoyfilters`
- `gateways`
- `serviceentries`
- `sidecars`
- `virtualservices`
- `workloadentries`
| * | * | GLW
|- `security.istio.io`
- `authorizationpolicies`
- `peerauthentications`
- `requestauthentications`
| * | * | GLW