Role-Based Access Control
Overview of RBAC in CD-as-a-Service
CD-as-a-Service’s RBAC implementation provides you with the following features:
- System-defined roles for admins and machine-to-machine credentials
- Custom roles that you create to fit your company’s needs
- SSO groups to custom RBAC roles mapping
- Role-based deployment approval
Central to CD-as-a-Service’s RBAC implementation is a Role, which defines what a user can do within the platform. Each Role has a Grants collection that defines permissions.
You define your custom RBAC roles in a YAML file that has this structure:
roles: - name: <role-name> tenant: <tenant-name> grants: - type: <type> resource: <resource> permission: <permission>
You can create an organization-wide role by omitting the
A Grant has type, resource, and permission attributes.
type has a single choice:
resource defines what area the Grant can access. It has the following values:
tenant: When you use
resource, the Grant allows access to the tenant that you specify in the
roles.tenantfield. You use
tenantwhen you define a Tenant Admin role.
deployment: This resource allows the role to deploy using the CLI and manage deployments in the Deployments UI. If you omit
roles.tenant, the role has this Grant across your organization.
organization: You use this resource when you need to create an Organization Admin role that maps to an SSO group. See SSO groups and RBAC roles for more on mapping SSO groups to RBAC roles.
permission has one option:
CD-as-a-Service provides the following system roles:
- UI - full access to all screens and functionality
- CLI - full authority to execute all CLI commands
- CD-as-a-Service assigns this role to the person who creates a new CD-as-a-Service account (Organization).
- You are able to manually assign the Organization Admin role to all users you invite to your Organization, thus bypassing the need to create custom RBAC roles.
Deployments Full Access
- This role grants full authority to trigger deployments.
- Assign this role to Client Credentials that you plan to use with CI tools like GitHub Actions.
Remote Network Agent
- This role grants a Remote Network Agent access to CD–as-a-Service.
- Assign this role to all Client Credentials you create to use with Remote Network Agents.
Custom role examples
Tenant Admin role
This example defines three Tenant Admin roles, one for each tenant. Each role has full authority within the specified tenant.
roles: - name: Tenant Admin Main tenant: main grants: - type: api resource: tenant permission: full - name: Tenant Admin Finance tenant: finance grants: - type: api resource: tenant permission: full - name: Tenant Admin Commerce tenant: commerce grants: - type: api resource: tenant permission: full
If you want to grant a user permission to manage all of your tenants, assign that user the Organization Admin role using the UI.
This example defines a role that grants permission to use the Deployments UI and start deployments using the CLI. The role is bound to the
roles: - name: Deployer Finance tenant: finance grants: - type: api resource: deployment permission: full
This next example defines a role that grants permission to use the Deployments UI and start deployments using the CLI across your entire organization. Note that
tenant is not defined, which makes this an organization-wide role.
roles: - name: Deployer All Tenants grants: - type: api resource: deployment permission: full
After you define your roles, you use the CLI to add your roles to your CD-as-a-Service Organization. You do all subsequent role management with the CLI, but you assign roles to users using the UI.
All users must have at least one role in order to use CD-as-a-Service. You can assign the Organization Admin role or a custom role. If a user has login credentials but no role assigned, the user sees a blank Deployments screen after logging in.
A Client Credential must also have an RBAC role to access CD-as-a-Service functionality. See Create Client Credentials for how to assign a role to a Client Credential.
SSO groups and RBAC roles
There is no self-service function for integrating your SSO provider. Contact your Armory rep if you want to use SSO with CD-as-a-Service.
You must create your RBAC roles using the same names as your SSO groups. For example, your company has the following groups defined in its SSO provider:
You want to use those groups in CD-as-a-Service, so you need to create roles for those SSO groups. In the following example,
Engineering-Lead has a tenant-specific Tenant Admin role,
Engineering-Deployment has a tenant-specific deployment role, and
Engineering-Infra has the equivalent of an Organization Admin role.
roles: - name: Engineering-Lead tenant: main grants: - type: api resource: tenant permission: full - name: Engineering-Deployment tenant: main grants: - type: api resource: deployment permission: full - name: Engineering-Infra grants: - type: api resource: organization permission: full
During authentication, CD-as-a-Service maps a user’s SSO groups to your defined RBAC roles.
- The SSO role does not appear in the UI. You cannot use CD-as-a-Service to assign an SSO role to a user.
- You cannot use CD-as-a-Service to inspect the SSO groups that a user belongs to.
- Role-Based Manual Approval
- Tasks: Create an RBAC Role, Update an RBAC Role, Delete an RBAC Role, Invite a User, Create Client Credentials
- Tutorial: Create and Manage RBAC Roles
- Troubleshoot Role-Based Access Control
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified February 2, 2023: (7aafd6e)