Role-Based Access Control
Overview of RBAC in CD-as-a-Service
classDiagram
class Role {
+String name
+Tenant tenant
+List<Grant> grants
}
class Grant {
+GrantType type
+String resource
+List<Permission> permissions
}
class GrantType {
<<enumeration>>
api
}
class Permission {
<<enumeration>>
full
}
class User {
+List<Role> roles
}
class M2MCredential {
+List<Role> roles
}
class Tenant {
+String name
}
Role "1" --> "*" Grant
Grant "1" --> "*" Permission
Grant "1" --> "1" GrantType
Role "1" --> "1" Tenant
Role "1" --> "1" Tenant
User "1" --> "*" Role
M2MCredential "1" --> "*" Role
Central to CD-as-a-Service’s RBAC implementation is a Role, which defines what a user can do within the platform. Each Role has a Grants collection that defines permissions.
You define your custom RBAC roles in a YAML file that has this structure:
roles:
- name: <role-name>
tenant: <tenant-name>
grants:
- type: <type>
resource: <resource>
permission: <permission>
You can create an organization-wide role by omitting the tenant definition.
Grants
A Grant has type, resource, and permission attributes.
type has a single choice: api.
resource defines what area the Grant can access. It has the following values:
tenant: When you usetenantas theresource, the Grant allows access to the tenant that you specify in theroles.tenantfield. You usetenantwhen you define a Tenant Admin role.deployment: This resource allows the role to deploy using the CLI and manage deployments in the Deployments UI. If you omitroles.tenant, the role has this Grant across your organization.organization: You use this resource when you need to create an Organization Admin role that maps to an SSO group. See SSO groups and RBAC roles for more on mapping SSO groups to RBAC roles.
permission has one option: full.
System roles
CD-as-a-Service provides the following system roles:
-
Organization Admin
-
Grants:
- UI - full access to all screens and functionality
- CLI - full authority to execute all CLI commands
-
Assignment:
- CD-as-a-Service assigns this role to the person who creates a new CD-as-a-Service account (Organization).
- You are able to manually assign the Organization Admin role to all users you invite to your Organization, thus bypassing the need to create custom RBAC roles.
-
-
Deployments Full Access
- Grants:
- This role grants full authority to trigger deployments.
- Assignment:
- Assign this role to Client Credentials that you plan to use with CI tools like GitHub Actions.
- Grants:
-
Remote Network Agent
- Grants:
- This role grants a Remote Network Agent access to CD–as-a-Service.
- Assignment:
- Assign this role to all Client Credentials you create to use with Remote Network Agents.
- Grants:
Custom role examples
Tenant Admin role
This example defines three Tenant Admin roles, one for each tenant. Each role has full authority within the specified tenant.
roles:
- name: Tenant Admin Main
tenant: main
grants:
- type: api
resource: tenant
permission: full
- name: Tenant Admin Finance
tenant: finance
grants:
- type: api
resource: tenant
permission: full
- name: Tenant Admin Commerce
tenant: commerce
grants:
- type: api
resource: tenant
permission: full
If you want to grant a user permission to manage all of your tenants, assign that user the Organization Admin role using the UI.
Deployment roles
This example defines a role that grants permission to use the Deployments UI and start deployments using the CLI. The role is bound to the finance tenant.
roles:
- name: Deployer Finance
tenant: finance
grants:
- type: api
resource: deployment
permission: full
This next example defines a role that grants permission to use the Deployments UI and start deployments using the CLI across your entire organization. Note that tenant is not defined, which makes this an organization-wide role.
roles:
- name: Deployer All Tenants
grants:
- type: api
resource: deployment
permission: full
Assign roles
After you define your roles, you use the CLI to add your roles to your CD-as-a-Service Organization. You do all subsequent role management with the CLI, but you assign roles to users using the UI.
All users must have at least one role in order to use CD-as-a-Service. You can assign the Organization Admin role or a custom role. If a user has login credentials but no role assigned, the user sees a blank Deployments screen after logging in.
A Client Credential must also have an RBAC role to access CD-as-a-Service functionality. See Create Client Credentials for how to assign a role to a Client Credential.
SSO groups and RBAC roles
There is no self-service function for integrating your SSO provider. Contact your Armory rep if you want to use SSO with CD-as-a-Service.
You must create your RBAC roles using the same names as your SSO groups. For example, your company has the following groups defined in its SSO provider:
- Engineering-Lead
- Engineering-Deployment
- Engineering-Infra
You want to use those groups in CD-as-a-Service, so you need to create roles for those SSO groups. In the following example, Engineering-Lead has a tenant-specific Tenant Admin role, Engineering-Deployment has a tenant-specific deployment role, and Engineering-Infra has the equivalent of an Organization Admin role.
roles:
- name: Engineering-Lead
tenant: main
grants:
- type: api
resource: tenant
permission: full
- name: Engineering-Deployment
tenant: main
grants:
- type: api
resource: deployment
permission: full
- name: Engineering-Infra
grants:
- type: api
resource: organization
permission: full
During authentication, CD-as-a-Service maps a user’s SSO groups to your defined RBAC roles.
Caution
- The SSO role does not appear in the UI. You cannot use CD-as-a-Service to assign an SSO role to a user.
- You cannot use CD-as-a-Service to inspect the SSO groups that a user belongs to.
What’s next
- Tasks: Create an RBAC Role, Update an RBAC Role, Delete an RBAC Role, Invite a User, Create Client Credentials
- Tutorial: Create and Manage RBAC Roles
- Troubleshoot Role-Based Access Control
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified November 9, 2022: (e11a60fd)