Access Management
Access Management within StackGuardian Orchestrator allows administrators to control user access levels within the organization. The interface provides options to assign roles to users or groups, define custom roles, and manage login methods.
Role-Based Access Control (RBAC)
RBAC is a method of regulating access to resources based on the roles of individual users within an enterprise. In StackGuardian, RBAC allows for granular control over the actions that users and groups can perform, which is crucial for large organizations with complex access control requirements.
Use Case
Consider a scenario in a large organization where different teams need different levels of access to workflows, Connectors, and policies. With StackGuardian RBAC, you can create a role named DevOps that has permissions to Create, Update, and Delete workflows, but only Read access to secrets.
Add Users and Assign Roles
Navigate to Orchestrator > Organization settings tab on the left.
To add a new user to your organization, follow these steps:
- In the "Add User or Group" section, enter the email ID or AD group. For example, newuser@example.com.
- Assign a Role from the dropdown that reflects the user's function within the organization.
- Select the Login Method, which can be a direct login or Single Sign-On (SSO), depending on your setup.
- Click on the Add button to finalize the addition of the new user.
After adding, the user will appear in the list above, where you can modify their access or remove them as needed.
Pre Defined Roles
| Role | Description | Permissions & Descriptions |
|---|---|---|
| ADMIN (Administrator) | Full access to all settings and features across the platform. | All permissions including management and configuration of all aspects. |
| READ_ONLY (Read Only) | View access to all organizational settings and configurations, without the ability to modify anything. | Only view access to settings, no modifications allowed. |
| DEV (Developer) | Focused on development activities. | - Create, view, and manage organization settings. - Generate and view reports. - Manage secrets and policies. - View and manage workflows within workflow groups. - Manage Connector groups and Connectors. - Execute, view, and manage workflows and their runs. - Handle stack configurations and operations. |
| SEC (Security Specialist) | Specialized in security with access tailored to manage security settings and sensitive data. | - Create and manage organization reports. - Manage secrets and policies. - View workflows and their outputs. - Authenticate and manage Connector settings. - Limited management of workflow configurations. - Oversee security aspects of stack operations. |
| OPS (Operations Specialist) | Geared towards operations management. | - Manage organization settings and secrets. - Create, update, and delete policies. - Full management of workflow groups, workflows, and their runs. - Manage Connector groups and Connectors. - Handle operational aspects of workflow configurations. - Supervise and operate stacks and stack runs. |
| Custom Roles | Customizable roles to fit specific organizational needs, with permissions assigned as needed. | Custom permissions based on organizational requirements. |
You can create custom roles to fit unique requirements of your organization in the "Define Role" tab.
Custom Roles
In the StackGuardian Orchestrator, defining roles is crucial for managing and customizing access levels across your organization. The Define Roles tab allows for the creation of roles that cater to specific responsibilities and access requirements within your organization. Navigate inside the role created for further configurations.
Permissions Overview
Tailor permissions to meet the specific needs of roles, team members, and access levels for efficient access control. Below is an outline of other permission categories:
-
Workflows & Stacks Permissions: Manage user interactions with Workflow Groups, Workflows, and Stacks. This could range from viewing lists to creating, updating, or deleting workflows and stacks.
-
Connectors Permissions: Control access to Connectors, Connector Groups.
-
Policy & Secrets Permissions: Manage permissions related to Templates, enabling users to access, update, or create new templates.
-
Template Library Permissions: Manage permissions related to Templates, enabling users to access, update, or create new templates.
-
Roles & Others Permissions: Provide or restrict access to additional administrative functions like Role management, API Token generation, viewing Audit logs, and generating Organization Reports.
For example, an Admin Role can be set up by selecting All permissions under each category. This provides unrestricted access, suitable for administrative users who require full control over the platform.
Assign Permissions
To set up and assign roles for a DevOps team member, follow the steps below to assign permissions effectively:
Step 1: Add Permissions
- In the Admin Portal, access the newly established DevOps role.
- Navigate to Workflows & Stacks Permissions.
- Click "Add Permission (Preview)" and proceed with the following steps:
Use the dropdown menu to view and assign permissions. You can either assign all permissions for admin access or selectively choose specific permissions. Start with the foundational permissions such as Get Workflow.
| Permission | Description |
|---|---|
| Get Workflow | View the list of workflows within workflow groups. |
| Create Workflow | Create new workflows within any workflow group. |
| Update Workflow | Edit existing workflows in any workflow group. |
| Delete Workflow | Remove workflows from any workflow group. |
| List Workflow Artifacts | Access a list of artifacts related to workflows. |
| Get Workflow Outputs | View outputs generated by workflows. |
| Get Workflow Run | Access details of workflow execution runs. |
| Run Workflow | Execute workflows within a group. |
| Cancel Workflow Run | Cancel running workflows if needed. |
| Get Workflow Run Logs | Retrieve logs for workflow execution runs. |
| Resume Workflow Run | Resume paused or stopped workflow executions. |
| Get Workflow Runfact | Fetch run-related facts for workflows. |
| Get Stack | View details of stacks in the organization. |
| Create Stack | Add new stacks for managing infrastructure. |
| Delete Stack | Remove stacks as required. |
| Run Stack | Execute stacks for deployment or configuration. |
| Get Stack Run | Access details about stack runs. |
| Get Stack Outputs | View outputs generated by stack runs. |
| Get Stack Workflow | Access workflows associated with a stack. |
| Update Stack Workflow | Edit workflows tied to specific stacks. |
| Delete Stack Workflow | Remove workflows from stacks. |
| Get Stack Workflow Outputs | View outputs from stack-related workflows. |
| List Stack Workflow Artifacts | List artifacts related to stack workflows. |
| Get Stack Workflow Run | View details of stack workflow runs. |
| Get Stack Workflow Runfact | Fetch facts for stack workflow runs. |
| Resume Stack Workflow Run | Resume paused stack workflow executions. |
| Get Stack Workflow Run Logs | Retrieve logs for stack workflow execution runs. |
Step 2: Assign Paths
- After assigning permissions, move to the Assigned Paths to add nested resources.
- Use the dropdown to select workflow groups, stacks and workflows created under your organization.
- Once done, click "Add (Preview)".
Delete Permission
To remove assigned permissions, follow these steps:
- Navigate to the permission list.
- Use Options > Delete to remove permissions individually or collectively.
Assigning a Custom Role
After creating a custom role, it becomes available under the "Assign role" tab. To assign this role:
- Navigate to the Assign Role tab.
- Select the User/Group name to whom you want to assign the permissions.
- From the Assign Role dropdown, search for and select the name of the custom role created (e.g.,
_custom_role_).
