Access Control

Roles and permissions in the organization are displayed on the People page. If you are a project owner, you can create new roles or update existing ones from the access control panel.

roles-permissions-light-cropped

Roles

Roles define a set of permissions given to a user or a group of user. They allow to determine the rights given to each user. Roles are project bound. This means that the same user may have a different role depending on the project. Roles defined on the project level are only available within that project.

roles-light-cropped

Warning

Roles are a crucial element to consider when securing your resources. Roles must be attributed following a least privilege policy to avoid any unwarranted access.

Default roles

There are 4 default roles in a standard project: Guess, Developer, Manager and Project Owner. They are meant for the following use:

  • Guest: The guest role allows a user to view the platform without having access to sensitive data or the ability to make any modifications.
  • Developer: The “default” developer will be able to create workspaces based on admin-defined project rules.
  • Manager: The manager has all the tech lead’s permissions.
  • Project Owner: The project owner has all the manager’s permissions, in addition to accessing the project’s audit and manage the user’s security feature, such privilege elevation.

To each role is attached the set of permissions described below.

Refer to the permissions section for an explanation about each permission.

Permission Guest Developer Manager Project Owner
Workspace Apps::Access Yes Yes Yes Yes
Workspace Apps::Manage Yes Yes Yes Yes
Workspaces::Access Yes Yes Yes Yes
Workspaces::Manage Personal No Yes Yes Yes
Workspaces::Manage Project No Yes Yes Yes
Resources::Access Yes Yes Yes Yes
Resources::Manage No Yes Yes Yes
Resources::Import No No No Yes
Resources::Regulated No Yes Yes Yes
Resources::Confidential No Yes Yes Yes
Security::Access No Yes Yes Yes
Security::Manage No No No Yes
Metrics::Access Personal No Yes Yes Yes
Metrics::Access Project No No Yes Yes
Members::Access No Yes Yes Yes
Members::Manage No No Yes Yes

Create a new role Project Owner

By clicking on the button at the top left of the access control panel, you can create a new role. Select a name and the set of permissions that characterize the new role.

Warning

Granted permissions must follow a least privilege policy. Be careful when naming a role, a poorly chosen name can be misused and end up giving too much privilege to a user.

Permissions

Permissions describe the rights given to a user for a specific access.

permissions-light-cropped

Please find below the detail of each access mentioned above.

Permissions Description
Workspace Apps::No Access The user cannot access apps running on the workspace.
Workspace Apps::Access The user can access and view apps shared with the user by other users.
Workspace Apps::Manage The user can open and close ports of workspaces.
Workspaces::No Access User cannot access workspaces
Workspaces::Access User can access workspaces assigned to her, but cannot edit properties or modify access control to resources, or delete her workspace.
Workspaces::Manage Personal User can create personal workspaces (i.e. with admin pre-defined characteristics), manage access control to the project resources, and delete personal workspaces.
Workspaces::Manage Project User can create custom workspaces and assign it to any user in the project. The user can edit or delete any workspaces in the project.
Resources::No Access The user cannot access the Resources dashboard and see registered resources.
Resources::Access The user can access the Resources dashboard and see registered resources, but cannot edit or delete them.
Resources::Manage The user can access the Resources dashboard and see, edit and delete project repositories, secrets, external services and data buckets.
Resources::Import The user can import new git repositories, container images and SAML connected apps, as well as manage all resources.
Resources::Regulated The user can access resources registered as regulated, i.e. falling under some regulations
Resources::Confidential The user can access resources registered as confidential such as intellectual property, etc.
Security::No Access The user does not have access to security metrics.
Security::Access The user has access to the Audit dashboard, define network policies (Resource Dashboard), but cannot add, edit or delete them.
Security::Manage The user can add, edit and delete workspace images, registry credentials, network policies, generate platform API keys and update project settings.
Metrics::No Access The user has no access to the Insights dashboard.
Metrics::Access Personal The user has access to the Insights dashboard and see only personal metrics.
Metrics::Access Project The user has access to the Insights dashboard and see both personal and project-level metrics.
Members::No Access The user cannot see the project’s members (no People dashboard).
Members::Access The user can see the project’s members in the People dashboard.
Members::Manage The user can add and remove members to the project with the People dashboard.
Access Control