talos/website/content/docs/v0.11/Guides/rbac.md

---
title: Role-based access control (RBAC)
---

Talos v0.11 introduced initial support for role-based access control (RBAC).
This guide will explain what that is and how to enable it without losing access to the cluster.

## RBAC in Talos

Talos uses certificates to authorize users.
The certificate subject's organization field is used to encode user roles.
There is a set of predefined roles that allow access to different [API methods](../../reference/api/):

* `os:admin` grants access to all methods;
* `os:reader` grants access to "safe" methods (for example, that includes the ability to list files, but does not include the ability to read files content);
* `os:etcd:backup` grants access to [`/machine.MachineService/EtcdSnapshot`](../../reference/api/#machine.EtcdSnapshotRequest) method.

Roles in the current `talosconfig` can be checked with the following command (using [`yq` v4](https://github.com/mikefarah/yq)):

```sh
$ yq eval '.contexts[.context].crt' talosconfig | base64 -d | openssl x509 -noout -text

Certificate:
    Data:
        [...]
        Subject: O = os:reader
        [...]
```

RBAC is enabled by default in new clusters created with `talosctl` v0.11 and disabled otherwise.

## Enabling RBAC

First, both the Talos cluster and `talosctl` tool should be [upgraded](../upgrading-talos/) to v0.11.
Then the `talosctl config new` command should be used to generate a new client configuration with the `os:admin` role.
Additional configurations and certificates for different roles can be generated by passing `--roles` flag:

```sh
talosctl config new --roles=os:reader reader
```

That command will create a new client configuration file `reader` with a new certificate with `os:reader` role.

After that, RBAC should be enabled in the machine configuration:

```yaml
machine:
  features:
    rbac: true
```