> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/concepts/foundations/access-control-landscape/runasuser-permissions.md).

# RunAsUser Permission

## What does it enable?

`runAsUser` permissions let you act on behalf of another user in DataOS. When you set it in a manifest, the resource is created and runs under that user's identity — not yours. Their permissions apply, not yours. You are the one who applied it, but it runs as them.

When you apply a resource, DataOS tracks three identities separately:

* **owner** — who the resource belongs to
* **submitter** — who ran the apply command
* **runAsUser** — whose identity the resource executes under at runtime

These can all be different users. `runAsUser` only controls the runtime identity — it does not change who owns the resource or who submitted it.

{% hint style="info" %}
`runAsUser` is built on explicit consent. A team member grants you this use-case for their identity through Bifrost. Only an Operator can set up that grant.
{% endhint %}

Once a grant is in place, add `runAsUser` to your manifest:

{% code title="Manifest snippet" %}

```yaml
spec:
  runAsUser: johndoe
```

{% endcode %}

<details>

<summary>Show example</summary>

`iamgroot` needs to create a Minerva cluster, but does not have permission to access the depots it depends on. `johndoe`, who has that access, grants `iamgroot` the Run As User use-case.

`iamgroot` applies this manifest:

{% code title="Example manifest" %}

```yaml
name: minerva-cluster
version: v1alpha
type: minerva
spec:
  compute: universe-compute
  runAsUser: johndoe
  depots:
    - address: "dataos://johndoe-s3-depot?purpose=rw"
```

{% endcode %}

The cluster is created by `iamgroot` but runs under `johndoe`'s identity. `johndoe` does not need to apply anything themselves.

</details>

## When to use it?

Use `runAsUser` when you need to perform an action in DataOS — creating a resource, editing it, managing its access, or any other operation — but you don't have the permissions required to do it yourself. A team member who has those permissions can grant you the ability to act on their behalf.

This also applies when working with application users. A person user can set `runAsUser` to an application user's ID so that a workload resource — such as Nilus, Vulcan, or Minerva — runs under that application user's identity. This is the common pattern for workload resources that need to operate under a shared application identity rather than a personal one.

To grant or revoke RunAsUser permission, see [Grant permissions](/concepts/foundations/access-control-landscape/runasuser-permissions/grant-user-permissions.md).

## How to use it?

In DataOS, there are two types of users: person and application. `runAsUser` can be set to either type. Workload resources — such as Nilus, Vulcan, and Minerva — are generally expected to run under an application identity rather than a personal one.

Either way, the permission must be explicitly granted — it is never implicit.

* To create an application user, see [Create an application user](/concepts/foundations/access-control-landscape/runasuser-permissions/create-application-user.md).
* To grant permissions to a user and set up RunAsUser grants, see [Grant permissions](/concepts/foundations/access-control-landscape/runasuser-permissions/grant-user-permissions.md).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/concepts/foundations/access-control-landscape/runasuser-permissions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
