> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/concepts/foundations/access-control-landscape/runasuser-permissions/grant-user-permissions.md).

# Grant permissions

## How to set up a user's permissions?

Before anyone can use an application user's identity, the application user must hold the right permissions. What those permissions are depends entirely on why the application user was created and what the people using it will need to do.

These steps are not specific to application users — the same process applies when granting permissions to any user in DataOS.

{% hint style="info" %}
Only an Operator can grant runAsUser permissions in DataO.
{% endhint %}

{% stepper %}
{% step %}

#### Add a role

In the user's profile in Bifrost, go to the **Tags** tab and click **Add Role**. Select the appropriate role for the tenant.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/A87TC7PVsp0sa2YV3eg9" alt="Add Role modal with Engineering Data Developer role selected"><figcaption><p>Assigning a role to the user</p></figcaption></figure>

</details>
{% endstep %}

{% step %}

#### Confirm the role tag

Once added, the role tag appears alongside the identity tag in the user's Tags tab.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/TCc2qTGY0tUVHMWWaiNH" alt="Tags tab showing both the role tag and identity tag"><figcaption><p>Role assigned — the user now has an authorization boundary in the tenant</p></figcaption></figure>

</details>
{% endstep %}

{% step %}

#### Grant additional use-cases if needed

If the assigned role does not already cover all the access needed, additional use-cases can be granted from the **Grants** tab.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/wleJ92GSgpImStFcfezw" alt="Grants tab before any use-cases are assigned"><figcaption><p>Grants tab — grant additional use-cases here if required</p></figcaption></figure>

</details>
{% endstep %}
{% endstepper %}

## How to grant RunAsUser to a user?

Once the application user has the right permissions in place, the Operator grants the Run As User use-case to anyone who needs to act under that identity. This allows them to set `runAsUser` in a manifest and act under the application user's identity.

The grant is made on the **application user's profile** — not the grantee's. The Operator specifies the grantee's user ID as the subject of the grant.

{% stepper %}
{% step %}

#### Open the application user's Grants tab

From the DataOS home, go to **Bifrost** and open the **Users** tab. Open the application user's profile and go to the **Grants** tab.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/ASUdMVx9LzTpol70SjCB" alt="Application user&#x27;s Grants tab in Bifrost"><figcaption></figcaption></figure>

</details>
{% endstep %}

{% step %}

#### Start the grant

Click **Grant Use-Case**.
{% endstep %}

{% step %}

#### Select the Run As User use-case

In the use-case search field, type **run as** and select **Run As User – run as a user in the DataOS, when applying runnable resources**.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/Mb4satEMJEYytiwZAUTy" alt="Grant Use-Case dialog with Run As User selected"><figcaption></figcaption></figure>

</details>
{% endstep %}

{% step %}

#### Enter the grantee user ID

In the `userId` field, enter the user ID of the person who will be allowed to run as this application user.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/ghu4ebXhOfL6Kc0RkHov" alt="Grant form showing the userId field"><figcaption></figcaption></figure>

</details>
{% endstep %}

{% step %}

#### Grant the use-case

Click **Grant**.

The grant appears in the application user's Grants tab. The grantee can now set `runAsUser` to the application user's ID in any manifest.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/HroqNnKzLNnaH7A8JC72" alt="Grants tab showing the new Run As User grant"><figcaption></figcaption></figure>

</details>
{% endstep %}
{% endstepper %}

Once granted, the grantee sets `runAsUser` to the application user's ID in their manifest:

```yaml
spec:
  runAsUser: dpdeveloper
```

The resource runs under the application user's identity and inherits its permissions — without any user needing individual grants.

## How to revoke RunAsUser from a user?

To revoke a previously granted Run As User permission, the Operator follows these steps:

{% stepper %}
{% step %}

#### Open the existing grant

Go to the **application user's** Grants tab on Bifrost and click on the `run-as-user` entry.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/ziSEZiXWu9Y1jlKbEXTl" alt="Grants tab showing the run-as-user entry"><figcaption></figcaption></figure>

</details>
{% endstep %}

{% step %}

#### Remove the subject

In the grant detail, click the delete icon next to the subject tag.
{% endstep %}

{% step %}

#### Confirm the deletion

Confirm the deletion by clicking **OK**.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/09jVs7GtLB1BC3cFdpOq" alt="Confirmation dialog for removing the subject"><figcaption></figcaption></figure>

</details>

The grant is removed and the grantee no longer appears in the application user's Grants list.

<details>

<summary>Show screenshot</summary>

<figure><img src="/files/Dz5b3hGZuaXSXWVJ1dzF" alt="Grants list after the subject is removed"><figcaption></figcaption></figure>

</details>
{% endstep %}
{% endstepper %}

> After revocation, any resource that uses `runAsUser` with that user's ID will fail at runtime.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/concepts/foundations/access-control-landscape/runasuser-permissions/grant-user-permissions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
