datum-cloud · kevwilliams · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 15, 2026
diff --git a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml
@@ -2,10 +2,14 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: organization-creator
+  labels:
+    taxonomy.miloapis.com/role-category: service
   namespace: milo-system
   annotations:
     kubernetes.io/display-name: Organization Creator
     kubernetes.io/description: Allows creating new organizations
+    taxonomy.miloapis.com/product: Organization & Projects
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/apiextensions-reader.yaml b/config/roles/apiextensions-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: apiextensions-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: API Extensions Viewer
     kubernetes.io/description: View access to custom resource definitions
+    taxonomy.miloapis.com/product: "Platform Core"
+    taxonomy.miloapis.com/sort-order: "40"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/core-admin.yaml b/config/roles/core-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: core-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Core Admin
     kubernetes.io/description: Full access to core platform resources including secrets, configmaps, and namespaces
+    taxonomy.miloapis.com/product: "Platform Core"
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/core-editor.yaml b/config/roles/core-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: core-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Core Editor
     kubernetes.io/description: Edit access to core platform resources including secrets, configmaps, and namespaces
+    taxonomy.miloapis.com/product: "Platform Core"
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/core-reader.yaml b/config/roles/core-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: core-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Core Reader
     kubernetes.io/description: View access to core platform resources including secrets, configmaps, and namespaces
+    taxonomy.miloapis.com/product: "Platform Core"
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/iam-admin.yaml b/config/roles/iam-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: IAM Admin
     kubernetes.io/description: "Full access to all IAM resources"
+    taxonomy.miloapis.com/product: "Identity & Access Management"
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-editor.yaml b/config/roles/iam-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: IAM Editor
     kubernetes.io/description: "Edit IAM resources"
+    taxonomy.miloapis.com/product: "Identity & Access Management"
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-organization-admin.yaml b/config/roles/iam-organization-admin.yaml
@@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-organization-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: IAM Organization Admin
+    taxonomy.miloapis.com/product: "Identity & Access Management"
+    taxonomy.miloapis.com/sort-order: "10"
     kubernetes.io/description: "Full access to organization-scoped IAM resources"
 spec:
   launchStage: Beta

diff --git a/config/roles/iam-organization-editor.yaml b/config/roles/iam-organization-editor.yaml
@@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-organization-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: IAM Organization Editor
+    taxonomy.miloapis.com/product: "Identity & Access Management"
+    taxonomy.miloapis.com/sort-order: "20"
     kubernetes.io/description: "Edit organization-scoped IAM resources"
 spec:
   launchStage: Beta

diff --git a/config/roles/iam-organization-viewer.yaml b/config/roles/iam-organization-viewer.yaml
@@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-organization-viewer
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: IAM Organization Viewer
+    taxonomy.miloapis.com/product: "Identity & Access Management"
+    taxonomy.miloapis.com/sort-order: "30"
     kubernetes.io/description: "View organization-scoped IAM resources"
 spec:
   launchStage: Beta

diff --git a/config/roles/iam-platform-access-approvals-admin.yaml b/config/roles/iam-platform-access-approvals-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-access-approvals-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Access Approval Admin
     kubernetes.io/description: Full access to platform access approvals
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-platform-access-approvals-editor.yaml b/config/roles/iam-platform-access-approvals-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-access-approvals-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Access Approval Editor
     kubernetes.io/description: Create, update, and delete platform access approvals
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-platform-access-approvals-reader.yaml b/config/roles/iam-platform-access-approvals-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-access-approvals-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Access Approval Viewer
     kubernetes.io/description: View platform access approvals
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/iam-platform-access-rejections-admin.yaml b/config/roles/iam-platform-access-rejections-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-access-rejections-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Access Rejection Admin
     kubernetes.io/description: Full access to platform access rejections
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-platform-access-rejections-editor.yaml b/config/roles/iam-platform-access-rejections-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-access-rejections-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Access Rejection Editor
     kubernetes.io/description: Create, update, and delete platform access rejections
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-platform-access-rejections-reader.yaml b/config/roles/iam-platform-access-rejections-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-access-rejections-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Access Rejection Viewer
     kubernetes.io/description: View platform access rejections
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/iam-platform-invitations-admin.yaml b/config/roles/iam-platform-invitations-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-invitations-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Invitation Admin
     kubernetes.io/description: Full access to platform invitations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-platform-invitations-editor.yaml b/config/roles/iam-platform-invitations-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-invitations-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Invitation Editor
     kubernetes.io/description: Create, update, and delete platform invitations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-platform-invitations-reader.yaml b/config/roles/iam-platform-invitations-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-platform-invitations-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Platform Invitation Viewer
     kubernetes.io/description: View platform invitations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/iam-role-admin.yaml b/config/roles/iam-role-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: role-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Role Admin
     kubernetes.io/description: Full access to IAM roles
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-role-editor.yaml b/config/roles/iam-role-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: role-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Role Editor
     kubernetes.io/description: Create, update, and delete IAM roles
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-role-reader.yaml b/config/roles/iam-role-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: role-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: Role Viewer
     kubernetes.io/description: View IAM roles
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/iam-user-deactivations-admin.yaml b/config/roles/iam-user-deactivations-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-user-deactivations-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: User Deactivation Admin
     kubernetes.io/description: Full access to user deactivations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-user-deactivations-editor.yaml b/config/roles/iam-user-deactivations-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-user-deactivations-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: User Deactivation Editor
     kubernetes.io/description: Create, update, and delete user deactivations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-user-deactivations-reader.yaml b/config/roles/iam-user-deactivations-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-user-deactivations-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: User Deactivation Viewer
     kubernetes.io/description: View user deactivations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions:

diff --git a/config/roles/iam-user-invitations-admin.yaml b/config/roles/iam-user-invitations-admin.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-user-invitations-admin
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: User Invitation Admin
     kubernetes.io/description: Full access to user invitations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "10"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-user-invitations-editor.yaml b/config/roles/iam-user-invitations-editor.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-user-invitations-editor
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: User Invitation Editor
     kubernetes.io/description: Create, update, and delete user invitations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "20"
 spec:
   launchStage: Beta
   inheritedRoles:

diff --git a/config/roles/iam-user-invitations-reader.yaml b/config/roles/iam-user-invitations-reader.yaml
@@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1
 kind: Role
 metadata:
   name: iam-user-invitations-reader
+  labels:
+    taxonomy.miloapis.com/role-category: service
   annotations:
     kubernetes.io/display-name: User Invitation Viewer
     kubernetes.io/description: View user invitations
+    taxonomy.miloapis.com/product: Identity & Access Management
+    taxonomy.miloapis.com/sort-order: "30"
 spec:
   launchStage: Beta
   includedPermissions: