> ## Documentation Index > Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt > Use this file to discover all available pages before exploring further. # Role-based access control (RBAC) > Set up RBAC on the Talos Linux API. export const VersionWarningBanner = () => { const latestVersion = "v1.13"; const [latestUrl, setLatestUrl] = useState(null); const [currentVersion, setCurrentVersion] = useState(null); const [isBeta, setIsBeta] = useState(false); const parseVersion = v => v.replace("v", "").split(".").map(Number); const isGreaterVersion = (a, b) => { const [aMajor, aMinor] = parseVersion(a); const [bMajor, bMinor] = parseVersion(b); if (aMajor > bMajor) return true; if (aMajor === bMajor && aMinor > bMinor) return true; return false; }; useEffect(() => { if (typeof window === "undefined") return; const {pathname, hash, search} = window.location; const match = pathname.match(/\/talos\/(v\d+\.\d+)\//); if (!match) return; const detectedVersion = match[1]; if (detectedVersion === latestVersion) return; setCurrentVersion(detectedVersion); if (isGreaterVersion(detectedVersion, latestVersion)) { setIsBeta(true); } const newPath = pathname.replace(`/talos/${detectedVersion}/`, `/talos/${latestVersion}/`); setLatestUrl(`${newPath}${search}${hash}`); }, []); if (!latestUrl || !currentVersion) return null; return

{isBeta ? <> ⚠️ You are viewing a beta version of Talos ({currentVersion}). This version may be unstable. View latest stable version {latestVersion} → : <> ⚠️ You are viewing an older version of Talos ({currentVersion}). View the latest version {latestVersion} → }

; }; Talos v0.11 introduced initial support for role-based access control (RBAC). This guide will explain what that is and how to enable it without losing access to the cluster. ## RBAC in Talos Talos uses certificates to authorize users. The certificate subject's organization field is used to encode user roles. There is a set of predefined roles that allow access to different [API methods](../reference/api): * `os:admin` grants access to all methods; * `os:operator` grants everything `os:reader` role does, plus additional methods: rebooting, shutting down, etcd backup, etcd alarm management, and so on; * `os:reader` grants access to "safe" methods (for example, that includes the ability to list files, but does not include the ability to read files content); * `os:etcd:backup` grants access to [`/machine.MachineService/EtcdSnapshot`](../reference/api#machine.EtcdSnapshotRequest) method. Roles in the current `talosconfig` can be checked with the following command: ```sh theme={null} $ talosctl config info [...] Roles: os:admin [...] ``` RBAC is enabled by default in new clusters created with `talosctl` v0.11+ and disabled otherwise. ## Enabling RBAC First, both the Talos cluster and `talosctl` tool should be [upgraded](../configure-your-talos-cluster/lifecycle-management/upgrading-talos). Then the `talosctl config new` command should be used to generate a new client configuration with the `os:admin` role. Additional configurations and certificates for different roles can be generated by passing `--roles` flag: ```sh theme={null} talosctl config new --roles=os:reader reader ``` That command will create a new client configuration file `reader` with a new certificate with `os:reader` role. After that, RBAC should be enabled in the machine configuration: ```yaml theme={null} machine: features: rbac: true ```