Skip to content

Clarify UpdateNamespace actions and permissions #4167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brianmacdonald-temporal merged 6 commits into from
Feb 4, 2026
Merged

Clarify UpdateNamespace actions and permissions #4167

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e6f6da5
Clarify UpdateNamespace actions and permissions
bechols Jan 30, 2026
7813a47
Add High Availability to Namespace Admin required list
bechols Jan 30, 2026
3c600c2
Fix Admin-only permissions for namespace operations
bechols Jan 30, 2026
a8273fc
Merge branch 'main' into bechols/clarify-update-ns
bechols Jan 30, 2026
6ae3929
Merge branch 'main' into bechols/clarify-update-ns
bechols Feb 3, 2026
aba4de9
Merge branch 'main' into bechols/clarify-update-ns
brianmacdonald-temporal Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 28 additions & 14 deletions docs/cloud/get-started/users.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,12 +200,6 @@ For details, see the [tcld user delete](/cloud/tcld/user/#delete) command.
Temporal account-level roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs.
The following table provides the API details associated with each account-level role and Namespace-level permission.

:::note

Account Owners and Global Admins have Namespace Admin permissions on all Namespaces.

:::

#### Account-level role details

This table provides API-level details for the permissions granted to a user through account-level roles. These permissions are configured per user.
Expand Down Expand Up @@ -281,13 +275,19 @@ This table provides API-level details for the permissions granted to a user thro
This table provides API-level details for the permissions granted to a user through Namespace-level permissions.
These permissions are configured per Namespace per user.

:::note

Account Owners and Global Admins inherit Namespace Admin permissions on all Namespaces.

:::

| Permission | Read | Write | Namespace Admin |
| ---------------------------------- | ---- | ----- | --------------- |
| CountWorkflowExecutions | ✔ | ✔ | ✔ |
| CreateExportSink | | | ✔ |
| CreateExportSink | | | ✔ |
| CreateSchedule | | ✔ | ✔ |
| DeleteExportSink | | | ✔ |
| DeleteNamespace | | | ✔ |
| DeleteExportSink | | | ✔ |
| DeleteNamespace | | | ✔ |
| DeleteSchedule | | ✔ | ✔ |
| DescribeBatchOperation | ✔ | ✔ | ✔ |
| DescribeNamespace | ✔ | ✔ | ✔ |
Expand Down Expand Up @@ -323,7 +323,7 @@ These permissions are configured per Namespace per user.
| QueryWorkflow | ✔ | ✔ | ✔ |
| RecordActivityTaskHeartbeat | | ✔ | ✔ |
| RecordActivityTaskHeartbeatById | | ✔ | ✔ |
| RenameCustomSearchAttribute | | | ✔ |
| RenameCustomSearchAttribute | | | ✔ |
| RequestCancelWorkflowExecution | | ✔ | ✔ |
| ResetStickyTaskQueue | | ✔ | ✔ |
| ResetWorkflowExecution | | ✔ | ✔ |
Expand All @@ -343,14 +343,28 @@ These permissions are configured per Namespace per user.
| StartWorkflowExecution | | ✔ | ✔ |
| StopBatchOperation | | ✔ | ✔ |
| TerminateWorkflowExecution | | ✔ | ✔ |
| UpdateExportSink | | | ✔ |
| UpdateNamespace | | | ✔ |
| UpdateExportSink | | | ✔ |
| UpdateNamespace | | | ✔ |
| UpdateSchedule | | ✔ | ✔ |
| UpdateSearchAttributes | | | ✔ |
| UpdateUserNamespacePermissions | | | ✔ |
| ValidateExportSink | | | ✔ |
| ValidateExportSink | | | ✔ |
| ValidateGlobalizeNamespace | | | ✔ |

Account Owners and Global Admins will have Namespace Admin permissions on Namespaces.
:::note UpdateNamespace settings

`UpdateNamespace` requires Namespace Admin permission and covers these settings:
- [Retention period](/temporal-service/temporal-server#retention-period)
- [API key auth](/cloud/api-keys#namespace-authentication)
- [mTLS certificates](/cloud/certificates)
- [Certificate filters](/cloud/certificates#manage-certificate-filters)
- [Codec server](/production-deployment/data-encryption)
- [Connectivity rules](/cloud/connectivity)
- [Custom Search Attributes](/search-attribute#custom-search-attribute)
- [Provisioned capacity (TRUs)](/cloud/capacity-modes#provisioned-capacity)
- [High Availability](/cloud/high-availability)

:::

## How to troubleshoot account access issues {#troubleshoot-access}

Expand Down