Access Control
Roles and permissions in the organization are displayed on the People page. If you are a project owner, you can create new roles or update existing ones from the access control panel.
- Roles
- Default roles
-
Create a new role
Project Owner - Permissions
Roles
Roles define a set of permissions given to a user or a group of user. They allow to determine the rights given to each user. Roles are project bound. This means that the same user may have a different role depending on the project. Roles defined on the project level are only available within that project.
Warning
Roles are a crucial element to consider when securing your resources. Roles must be attributed following a least privilege policy to avoid any unwarranted access.
Default roles
There are 4 default roles in a standard project: Guess, Developer, Manager and Project Owner. They are meant for the following use:
- Guest: The guest role allows a user to view the platform without having access to sensitive data or the ability to make any modifications.
- Developer: The “default” developer will be able to create workspaces based on admin-defined project rules.
- Manager: The manager has all the tech lead’s permissions.
- Project Owner: The project owner has all the manager’s permissions, in addition to accessing the project’s audit and manage the user’s security feature, such privilege elevation.
To each role is attached the set of permissions described below.
Refer to the permissions section for an explanation about each permission.
| Permission | Guest | Developer | Manager | Project Owner |
|---|---|---|---|---|
| Workspace Apps::Access | Yes | Yes | Yes | Yes |
| Workspace Apps::Manage | Yes | Yes | Yes | Yes |
| Workspaces::Access | Yes | Yes | Yes | Yes |
| Workspaces::Manage Personal | No | Yes | Yes | Yes |
| Workspaces::Manage Project | No | Yes | Yes | Yes |
| Resources::Access | Yes | Yes | Yes | Yes |
| Resources::Manage | No | Yes | Yes | Yes |
| Resources::Import | No | No | No | Yes |
| Resources::Regulated | No | Yes | Yes | Yes |
| Resources::Confidential | No | Yes | Yes | Yes |
| Security::Access | No | Yes | Yes | Yes |
| Security::Manage | No | No | No | Yes |
| Metrics::Access Personal | No | Yes | Yes | Yes |
| Metrics::Access Project | No | No | Yes | Yes |
| Members::Access | No | Yes | Yes | Yes |
| Members::Manage | No | No | Yes | Yes |
Create a new role Project Owner
By clicking on the button at the top left of the access control panel, you can create a new role. Select a name and the set of permissions that characterize the new role.
Warning
Granted permissions must follow a least privilege policy. Be careful when naming a role, a poorly chosen name can be misused and end up giving too much privilege to a user.
Permissions
Permissions describe the rights given to a user for a specific access.
Please find below the detail of each access mentioned above.
| Permissions | Description |
|---|---|
| Workspace Apps::No Access | The user cannot access apps running on the workspace. |
| Workspace Apps::Access | The user can access and view apps shared with the user by other users. |
| Workspace Apps::Manage | The user can open and close ports of workspaces. |
| Workspaces::No Access | User cannot access workspaces |
| Workspaces::Access | User can access workspaces assigned to her, but cannot edit properties or modify access control to resources, or delete her workspace. |
| Workspaces::Manage Personal | User can create personal workspaces (i.e. with admin pre-defined characteristics), manage access control to the project resources, and delete personal workspaces. |
| Workspaces::Manage Project | User can create custom workspaces and assign it to any user in the project. The user can edit or delete any workspaces in the project. |
| Resources::No Access | The user cannot access the Resources dashboard and see registered resources. |
| Resources::Access | The user can access the Resources dashboard and see registered resources, but cannot edit or delete them. |
| Resources::Manage | The user can access the Resources dashboard and see, edit and delete project repositories, secrets, external services and data buckets. |
| Resources::Import | The user can import new git repositories, container images and SAML connected apps, as well as manage all resources. |
| Resources::Regulated | The user can access resources registered as regulated, i.e. falling under some regulations |
| Resources::Confidential | The user can access resources registered as confidential such as intellectual property, etc. |
| Security::No Access | The user does not have access to security metrics. |
| Security::Access | The user has access to the Audit dashboard, define network policies (Resource Dashboard), but cannot add, edit or delete them. |
| Security::Manage | The user can add, edit and delete workspace images, registry credentials, network policies, generate platform API keys and update project settings. |
| Metrics::No Access | The user has no access to the Insights dashboard. |
| Metrics::Access Personal | The user has access to the Insights dashboard and see only personal metrics. |
| Metrics::Access Project | The user has access to the Insights dashboard and see both personal and project-level metrics. |
| Members::No Access | The user cannot see the project’s members (no People dashboard). |
| Members::Access | The user can see the project’s members in the People dashboard. |
| Members::Manage | The user can add and remove members to the project with the People dashboard. |